'Re: [ossec-list] custom windows decoder and redefinition'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    Re: [ossec-list] custom windows decoder and redefinition
From:       Brian Kellogg <theflakes () gmail ! com>
Date:       2014-08-28 18:20:25
Message-ID: 984330fb-0776-44a4-ae81-a58bc6016ba2 () googlegroups ! com
[Download RAW message or body]

Thanks for all your help.  My problems boils down to lack of experience.  I 
got the decoder working by doing the below.  Now on to the rules.

<decoder name="windows_rdp">
  <type>windows</type>
  <parent>windows</parent>
  <prematch>Logon Type:\s+10</prematch>
  <regex offset="after_prematch">Account Name:\s+(\S+)\s+Account 
Domain:\s+(\S+) \.+Workstation Name:\s+(\S+)\s+Source Network 
Address:\s+(\S+)</regex>
  <order>srcuser, extra_data, dstuser, srcip</order>
</decoder>


-- 

--- 
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.


[Attachment #3 (text/html)]

<div dir="ltr">Thanks for all your help. &nbsp;My problems boils down to lack of \
experience. &nbsp;I got the decoder working by doing the below. &nbsp;Now on to the \
rules.<div><br></div><div><div>&lt;decoder name="windows_rdp"&gt;</div><div>&nbsp; \
&lt;type&gt;windows&lt;/type&gt;</div><div>&nbsp; \
&lt;parent&gt;windows&lt;/parent&gt;</div><div>&nbsp; &lt;prematch&gt;Logon \
Type:\s+10&lt;/prematch&gt;</div><div>&nbsp; &lt;regex \
offset="after_prematch"&gt;Account Name:\s+(\S+)\s+Account Domain:\s+(\S+) \
\.+Workstation Name:\s+(\S+)\s+Source Network \
Address:\s+(\S+)&lt;/regex&gt;</div><div>&nbsp; &lt;order&gt;srcuser, extra_data, \
dstuser, srcip&lt;/order&gt;</div><div>&lt;/decoder&gt;</div><div><br></div><div><br></div></div></div>


<p></p>

-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
&quot;ossec-list&quot; group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic