'[ossec-list] custom windows decoders and redefinition'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    [ossec-list] custom windows decoders and redefinition
From:       Brian Kellogg <theflakes () gmail ! com>
Date:       2014-08-28 14:59:02
Message-ID: daa948d6-9c24-4eac-b4d3-cdc3b446b3c3 () googlegroups ! com
[Download RAW message or body]

I have the below in my "./etc/local_decoder.xml" file in an attempt to 
create custom decoders for specific Windows events such as RDP logons.  The 
log sample isn't being decoded by the "windows_rdp" decoder and I'm not 
sure why.  I have tried dozens of variations on the below with no success; 
including much simpler regex matches.  Not sure what I'm missing and I'm 
guessing its something simple I'm just missing.  If I remove the 
"windows_rdp" decoder things go back to normal in decoding windows logs. 
 With the decoder in place the rule 18100 is what gets applied with the 
description of "Group of windows rules." and not my rule of 100010.  This 
is on OSSEC 2.8.

*Decoders in ./etc/local_decoder.xml:*
<decoder name="windows">
  <type>windows</type>
  <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: 
</prematch>
</decoder>

<decoder name="windows_rdp">
  <type>windows</type>
  <parent>windows</parent>
  <regex offset="after_parent">4624</regex>
</decoder>

<decoder name="windows_default">
  <type>windows</type>
  <parent>windows</parent>
  <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
  <regex>(\.+): \.+: (\S+): </regex>
  <order>status, id, extra_data, user, system_name</order>
  <fts>name, location, user, system_name</fts>
</decoder>

*Rule in ./rules/local_rules.xml:*
<group name="windows,">
        <rule id="100010" level="12">
                <decoded_as>windows_rdp</decoded_as>
                <group>rdp</group>
                <description>RDP Windows Logon</description>
        </rule>
</group>

*Below is a log sample:*
2014 Aug 28 09:54:56 WinEvtLog: Security: AUDIT_SUCCESS(4624): 
Microsoft-Windows-Security-Auditing: tsmith: NADRC: server55.na.d-rco.com: 
An account was successfully logged on. Subject:  Security ID:  S-1-5-18 
 Account Name:  server55$  Account Domain:  CONTOSO  Logon ID:  0x3e7 
 Logon Type:   10  New Logon:  Security ID: 
 S-1-5-21-1434109735-357464061-2299825339-86050  Account Name:  tsmith 
 Account Domain:  CONTOSO  Logon ID:  0x128a6efd  Logon GUID: 
 {0254B574-A9A0-7895-94B0-AD2127BDE342}  Process Information:  Process ID: 
 0x1280  Process Name:  C:\Windows\System32\winlogon.exe  Network 
Information:  Workstation Name: server55  Source Network Address: 
192.168.11.4  Source Port:  9512  Detailed Authentication Information: 
 Logon Process:  User32   Authentication Package: Negotiate  Transited 
Services: -  Package Name (NTLM only): -  Key Length:  0  This event is 
generated when a logon session is created. It is generated on the computer 
that was accessed.

-- 

--- 
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.


[Attachment #3 (text/html)]

I have the below in my "./etc/local_decoder.xml" file in an attempt to create custom \
decoders for specific Windows events such as RDP logons. &nbsp;The log sample isn't \
being decoded by the "windows_rdp" decoder and I'm not sure why. &nbsp;I have tried \
dozens of variations on the below with no success; including much simpler regex \
matches. &nbsp;Not sure what I'm missing and I'm guessing its something simple I'm \
just missing. &nbsp;If I remove the "windows_rdp" decoder things go back to normal in \
decoding windows logs. &nbsp;With the decoder in place the rule 18100 is what gets \
applied with the description of "Group of windows rules." and not my rule of 100010. \
&nbsp;This is on OSSEC 2.8.<div><br></div><div><b>Decoders in \
./etc/local_decoder.xml:</b></div><div><div>&lt;decoder \
name="windows"&gt;</div><div>&nbsp; &lt;type&gt;windows&lt;/type&gt;</div><div>&nbsp; \
&lt;prematch&gt;^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: \
&lt;/prematch&gt;</div><div>&lt;/decoder&gt;</div></div><div><br></div><div><div>&lt;decoder \
name="windows_rdp"&gt;</div><div>&nbsp; \
&lt;type&gt;windows&lt;/type&gt;</div><div>&nbsp; \
&lt;parent&gt;windows&lt;/parent&gt;</div><div>&nbsp; &lt;regex \
offset="after_parent"&gt;4624&lt;/regex&gt;</div><div>&lt;/decoder&gt;</div></div><div><br></div><div><div>&lt;decoder \
name="windows_default"&gt;</div><div>&nbsp; \
&lt;type&gt;windows&lt;/type&gt;</div><div>&nbsp; \
&lt;parent&gt;windows&lt;/parent&gt;</div><div>&nbsp; &lt;regex \
offset="after_parent"&gt;^\.+: (\w+)\((\d+)\): (\.+): &lt;/regex&gt;</div><div>&nbsp; \
&lt;regex&gt;(\.+): \.+: (\S+): &lt;/regex&gt;</div><div>&nbsp; &lt;order&gt;status, \
id, extra_data, user, system_name&lt;/order&gt;</div><div>&nbsp; &lt;fts&gt;name, \
location, user, system_name&lt;/fts&gt;</div><div>&lt;/decoder&gt;</div></div><div><br></div><div><b>Rule \
in ./rules/local_rules.xml:</b></div><div><div>&lt;group \
name="windows,"&gt;</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &lt;rule id="100010" \
level="12"&gt;</div><div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \
&lt;decoded_as&gt;windows_rdp&lt;/decoded_as&gt;</div><div>&nbsp; &nbsp; &nbsp; \
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &lt;group&gt;rdp&lt;/group&gt;</div><div>&nbsp; \
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &lt;description&gt;RDP Windows \
Logon&lt;/description&gt;</div><div>&nbsp; &nbsp; &nbsp; &nbsp; \
&lt;/rule&gt;</div><div>&lt;/group&gt;</div></div><div><br></div><div><b>Below is a \
log sample:</b></div><div>2014 Aug 28 09:54:56 WinEvtLog: Security: \
AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: tsmith: NADRC: \
server55.na.d-rco.com: An account was successfully logged on. Subject: &nbsp;Security \
ID: &nbsp;S-1-5-18 &nbsp;Account Name: &nbsp;server55$ &nbsp;Account Domain: \
&nbsp;CONTOSO &nbsp;Logon ID: &nbsp;0x3e7 &nbsp;Logon Type: &nbsp; 10 &nbsp;New \
Logon: &nbsp;Security ID: &nbsp;S-1-5-21-1434109735-357464061-2299825339-86050 \
&nbsp;Account Name: &nbsp;tsmith &nbsp;Account Domain: &nbsp;CONTOSO &nbsp;Logon ID: \
&nbsp;0x128a6efd &nbsp;Logon GUID: &nbsp;{0254B574-A9A0-7895-94B0-AD2127BDE342} \
&nbsp;Process Information: &nbsp;Process ID: &nbsp;0x1280 &nbsp;Process Name: \
&nbsp;C:\Windows\System32\winlogon.exe &nbsp;Network Information: &nbsp;Workstation \
Name: server55 &nbsp;Source Network Address: 192.168.11.4 &nbsp;Source Port: \
&nbsp;9512 &nbsp;Detailed Authentication Information: &nbsp;Logon Process: \
&nbsp;User32 &nbsp; Authentication Package: Negotiate &nbsp;Transited Services: - \
&nbsp;Package Name (NTLM only): - &nbsp;Key Length: &nbsp;0 &nbsp;This event is \
generated when a logon session is created. It is generated on the computer that was \
accessed.<br></div>

<p></p>

-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
&quot;ossec-list&quot; group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic