[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] custom windows decoders and redefinition
From: Brian Kellogg <theflakes () gmail ! com>
Date: 2014-08-28 14:59:02
Message-ID: daa948d6-9c24-4eac-b4d3-cdc3b446b3c3 () googlegroups ! com
[Download RAW message or body]
I have the below in my "./etc/local_decoder.xml" file in an attempt to
create custom decoders for specific Windows events such as RDP logons. The
log sample isn't being decoded by the "windows_rdp" decoder and I'm not
sure why. I have tried dozens of variations on the below with no success;
including much simpler regex matches. Not sure what I'm missing and I'm
guessing its something simple I'm just missing. If I remove the
"windows_rdp" decoder things go back to normal in decoding windows logs.
With the decoder in place the rule 18100 is what gets applied with the
description of "Group of windows rules." and not my rule of 100010. This
is on OSSEC 2.8.
*Decoders in ./etc/local_decoder.xml:*
<decoder name="windows">
<type>windows</type>
<prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog:
</prematch>
</decoder>
<decoder name="windows_rdp">
<type>windows</type>
<parent>windows</parent>
<regex offset="after_parent">4624</regex>
</decoder>
<decoder name="windows_default">
<type>windows</type>
<parent>windows</parent>
<regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+): </regex>
<order>status, id, extra_data, user, system_name</order>
<fts>name, location, user, system_name</fts>
</decoder>
*Rule in ./rules/local_rules.xml:*
<group name="windows,">
<rule id="100010" level="12">
<decoded_as>windows_rdp</decoded_as>
<group>rdp</group>
<description>RDP Windows Logon</description>
</rule>
</group>
*Below is a log sample:*
2014 Aug 28 09:54:56 WinEvtLog: Security: AUDIT_SUCCESS(4624):
Microsoft-Windows-Security-Auditing: tsmith: NADRC: server55.na.d-rco.com:
An account was successfully logged on. Subject: Security ID: S-1-5-18
Account Name: server55$ Account Domain: CONTOSO Logon ID: 0x3e7
Logon Type: 10 New Logon: Security ID:
S-1-5-21-1434109735-357464061-2299825339-86050 Account Name: tsmith
Account Domain: CONTOSO Logon ID: 0x128a6efd Logon GUID:
{0254B574-A9A0-7895-94B0-AD2127BDE342} Process Information: Process ID:
0x1280 Process Name: C:\Windows\System32\winlogon.exe Network
Information: Workstation Name: server55 Source Network Address:
192.168.11.4 Source Port: 9512 Detailed Authentication Information:
Logon Process: User32 Authentication Package: Negotiate Transited
Services: - Package Name (NTLM only): - Key Length: 0 This event is
generated when a logon session is created. It is generated on the computer
that was accessed.
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #3 (text/html)]
I have the below in my "./etc/local_decoder.xml" file in an attempt to create custom \
decoders for specific Windows events such as RDP logons. The log sample isn't \
being decoded by the "windows_rdp" decoder and I'm not sure why. I have tried \
dozens of variations on the below with no success; including much simpler regex \
matches. Not sure what I'm missing and I'm guessing its something simple I'm \
just missing. If I remove the "windows_rdp" decoder things go back to normal in \
decoding windows logs. With the decoder in place the rule 18100 is what gets \
applied with the description of "Group of windows rules." and not my rule of 100010. \
This is on OSSEC 2.8.<div><br></div><div><b>Decoders in \
./etc/local_decoder.xml:</b></div><div><div><decoder \
name="windows"></div><div> <type>windows</type></div><div> \
<prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: \
</prematch></div><div></decoder></div></div><div><br></div><div><div><decoder \
name="windows_rdp"></div><div> \
<type>windows</type></div><div> \
<parent>windows</parent></div><div> <regex \
offset="after_parent">4624</regex></div><div></decoder></div></div><div><br></div><div><div><decoder \
name="windows_default"></div><div> \
<type>windows</type></div><div> \
<parent>windows</parent></div><div> <regex \
offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex></div><div> \
<regex>(\.+): \.+: (\S+): </regex></div><div> <order>status, \
id, extra_data, user, system_name</order></div><div> <fts>name, \
location, user, system_name</fts></div><div></decoder></div></div><div><br></div><div><b>Rule \
in ./rules/local_rules.xml:</b></div><div><div><group \
name="windows,"></div><div> <rule id="100010" \
level="12"></div><div> \
<decoded_as>windows_rdp</decoded_as></div><div> \
<group>rdp</group></div><div> \
<description>RDP Windows \
Logon</description></div><div> \
</rule></div><div></group></div></div><div><br></div><div><b>Below is a \
log sample:</b></div><div>2014 Aug 28 09:54:56 WinEvtLog: Security: \
AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: tsmith: NADRC: \
server55.na.d-rco.com: An account was successfully logged on. Subject: Security \
ID: S-1-5-18 Account Name: server55$ Account Domain: \
CONTOSO Logon ID: 0x3e7 Logon Type: 10 New \
Logon: Security ID: S-1-5-21-1434109735-357464061-2299825339-86050 \
Account Name: tsmith Account Domain: CONTOSO Logon ID: \
0x128a6efd Logon GUID: {0254B574-A9A0-7895-94B0-AD2127BDE342} \
Process Information: Process ID: 0x1280 Process Name: \
C:\Windows\System32\winlogon.exe Network Information: Workstation \
Name: server55 Source Network Address: 192.168.11.4 Source Port: \
9512 Detailed Authentication Information: Logon Process: \
User32 Authentication Package: Negotiate Transited Services: - \
Package Name (NTLM only): - Key Length: 0 This event is \
generated when a logon session is created. It is generated on the computer that was \
accessed.<br></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic