[ossec-list] XPath Syntax in OSSEC.

Tue, 22 Mar 2016 07:12:40 -0700 

I am trying to understand the exact syntax for XPath filters in OSSEC.

All the OSSEC documentation says on the subject is the following,

<localfile>
  <location>System</location>
  <log_format>eventchannel</log_format>
  <query>Event/System[EventID=7040]</query>
</localfile>

and provides a link to Microsoft's XPath documentation:

Can anyone provide detailed guidance on translating XPath filters like the 
following (and which work as intended in Event Viewer) so OSSEC interprets 
them like Event Viewer does:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[band(Keywords,9007199254740992) and (EventID=4656 or 
EventID=4663)]]
       and *[EventData[Data[@Name='SubjectUserSid']!='S-1-5-18']]
       and *[EventData[Data[@Name='SubjectUserSid']!='S-1-5-19']]
       and *[EventData[Data[@Name='SubjectUserSid']!='S-1-5-20']]
       and *[EventData[Data[@Name='ObjectType']!='Process']]
       and 
*[EventData[Data[@Name='ProcessName']!='C:\Users\Administrator\AppData\Local\Temp\procexp64.exe']]
    </Select>
    <Select Path="Security">
       *[System[EventID=4658]]
       and *[EventData[Data[@Name='SubjectUserSid']!='S-1-5-18']]
       and *[EventData[Data[@Name='SubjectUserSid']!='S-1-5-19']]
       and *[EventData[Data[@Name='SubjectUserSid']!='S-1-5-20']]
       and 
*[EventData[Data[@Name='ProcessName']!='C:\Users\Administrator\AppData\Local\Temp\procexp64.exe']]
    </Select>
  </Query>
</QueryList>

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[band(Keywords,13510798882111488)]]
      and *[EventData[Data[@Name='ObjectType']!='Process']]
    </Select>
    <Suppress Path="Security">
       *[System[band(Keywords,13510798882111488) and (EventID=4670)]]
    </Suppress>
    <Suppress Path="Security">
       *[System[band(Keywords,13510798882111488) and (EventID=4656)]]
       and 
 *[EventData[Data[@Name='ProcessName']='C:\Windows\System32\lsass.exe']]
    </Suppress>
  </Query>
</QueryList>

I have far more complex filters to implement. Just need to understand the 
'how to'.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to