'Re: [ossec-list] OSSEC Rule Creation Help'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    Re: [ossec-list] OSSEC Rule Creation Help
From:       Jesus Linares <jesus () wazuh ! com>
Date:       2016-03-29 9:36:21
Message-ID: 753f59f6-bbdf-4a1c-8cc0-cd6e312d3692 () googlegroups ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi,

The regex for field *same_source_ip *could be *\w+*. But, I'm not sure if 
the field *same_source_ip *is OS_Regex or OS_Match. Check out the 
documentation: http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html

If you need help to create specific rules, it would be very useful to paste 
here some logs samples about you want detect.

Regards,
Jesus Linares.

On Thursday, March 24, 2016 at 1:41:47 PM UTC+1, namobud...@gmail.com wrote:
> 
> Thanks Santiago,
> 
> The logs I would be examining are just standard windows logs, I wonder if 
> it's just a question of building the right Kibana query or rule wise maybe 
> something like below (adding to my existing authentication group).
> 
> 
> I already a custom authentication rules group as follows:
> 
> <group name="mm-after-hours-logins,">
> <rule id="500000" level="10"> 
> <if_group>authentication</if_group> 
> <time>10 pm - 7 am</time> 
> <description>Login after hours</description> 
> </rule> 
> 
> 
> <rule id="500001" level="0"> 
> <if_sid>500000</if_sid> 
> <user>workstation-name</user> 
> <description>Ignore service accounts</description> 
> </rule> 
> </group>
> 
> I'm not really that good with Reg-Ex's, but I think I want to build 
> something similar to below (I'm just not sure on the verbiage). I'm not 
> sure how to say more then more login account from the same IP in OSSEC rule 
> language. Any help would be greatly appreciated.  
> 
> <rule id="500001" level="0"> 
> <if_sid>500000</if_sid> 
> <user>workstation-name</user> 
> <same_source_ip>a reg-ex expression here that basically says logging 
> into more then one account from the same box </same_source_ip> 
> <description>Ignore service accounts</description> *I might want to pull 
> this - not sure -* 
> </rule> 
> </group>
> 
> Thanks,
> 
> 
> 
> On Wednesday, March 23, 2016 at 5:54:56 PM UTC-4, Santiago Bassett wrote:
> > 
> > For the first use case, I think you should be able to use 
> > "same_source_ip" and "not_same_user" options (I would probably define a 
> > frequency threshold too). 
> > 
> > For other cases I guess it all depends on the logs you want to analyze. 
> > Do you have samples?
> > 
> > 
> > 
> > On Wed, Mar 23, 2016 at 5:51 AM, <namobud...@gmail.com> wrote:
> > 
> > > Hello Group,
> > > 
> > > Is there a way to create a rule that will filter for login attempts to 
> > > multiple accounts from the same IP? The goal is to find an attacker whose 
> > > gained a foothold attempting password spraying which would fly under the 
> > > password policy radar if they do it slowly enough.
> > > 
> > > I'm also looking for rules for the following if anyone has an idea of 
> > > how to write them.
> > > 
> > > -An attacker using Powershell Empire (commonly used to own Active 
> > > Directory network)
> > > -Scanning Activity
> > > -Long Duration Connections (A possible sign of an advanced persistant 
> > > connection)
> > > -Concurrent Logins
> > > 
> > > 
> > > Thanks,
> > > 
> > > -- 
> > > 
> > > --- 
> > > You received this message because you are subscribed to the Google 
> > > Groups "ossec-list" group.
> > > To unsubscribe from this group and stop receiving emails from it, send 
> > > an email to ossec-list+...@googlegroups.com.
> > > For more options, visit https://groups.google.com/d/optout.
> > > 
> > 
> > 

-- 

--- 
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.


[Attachment #5 (text/html)]

<div dir="ltr">Hi,<div><br></div><div>The regex for field  <i>same_source_ip \
</i>could be <b>\w+</b>. But, I&#39;m not sure if the field  <i>same_source_ip </i>is \
OS_Regex or OS_Match. Check out the documentation:  \
http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html</div><div><br></div><div>If \
you need help to create specific rules, it would be very useful to paste here some \
logs samples about you want detect.</div><div><br></div><div>Regards,</div><div>Jesus \
Linares.</div><div><br>On Thursday, March 24, 2016 at 1:41:47 PM UTC+1, \
namobud...@gmail.com wrote:<blockquote class="gmail_quote" style="margin: \
0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;"><div \
dir="ltr">Thanks Santiago,<div><br></div><div>The logs I would be examining are just \
standard windows logs, I wonder if it&#39;s just a question of building the right \
Kibana query or rule wise maybe something like below (adding to my existing \
authentication group).</div><div><br></div><div><br></div><div>I already a custom \
authentication rules group as follows:</div><div><br></div><div><div>&lt;group \
name=&quot;mm-after-hours-logins,&quot;&gt;</div><div>&lt;rule id=&quot;500000&quot; \
level=&quot;10&quot;&gt;  </div><div>      \
&lt;if_group&gt;authentication&lt;/if_<wbr>group&gt;  </div><div>      &lt;time&gt;10 \
pm - 7 am&lt;/time&gt;  </div><div>      &lt;description&gt;Login after \
hours&lt;/description&gt;  </div><div>&lt;/rule&gt;  \
</div><div><br></div><div><br></div><div>&lt;rule id=&quot;500001&quot; \
level=&quot;0&quot;&gt;  </div><div>   &lt;if_sid&gt;500000&lt;/if_sid&gt;  \
</div><div>   &lt;user&gt;workstation-name&lt;/user&gt;  </div><div>   \
&lt;description&gt;Ignore service accounts&lt;/description&gt;  \
</div><div>&lt;/rule&gt;  \
</div><div>&lt;/group&gt;</div></div><div><br></div><div>I&#39;m not really that good \
with Reg-Ex&#39;s, but I think I want to build something similar to below (I&#39;m \
just not sure on the verbiage). I&#39;m not sure how to say more then more login \
account from the same IP in OSSEC rule language. Any help would be greatly \
appreciated.   </div><div><br></div><div><div>&lt;rule id=&quot;500001&quot; \
level=&quot;0&quot;&gt;  </div><div>   &lt;if_sid&gt;500000&lt;/if_sid&gt;  \
</div><div>   &lt;user&gt;workstation-name&lt;/user&gt;  </div><div>   \
&lt;same_source_ip&gt;a reg-ex expression here that basically says logging into more \
then one account from the same box &lt;/same_source_ip&gt;  </div><div>  \
&lt;description&gt;Ignore service accounts&lt;/description&gt; *I might want to pull \
this - not sure -*  </div><div>&lt;/rule&gt;  \
</div><div>&lt;/group&gt;</div></div><div><br></div><div>Thanks,<br><br><br><br>On \
Wednesday, March 23, 2016 at 5:54:56 PM UTC-4, Santiago Bassett wrote:<blockquote \
class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">For the first use case, I think you should be \
able to use &quot;same_source_ip&quot; and &quot;not_same_user&quot; options (I would \
probably define a frequency threshold too).  <div><br></div><div>For other cases I \
guess it all depends on the logs you want to analyze. Do you have \
samples?</div><div><br></div><div><br></div></div><div><br><div \
class="gmail_quote">On Wed, Mar 23, 2016 at 5:51 AM,  <span dir="ltr">&lt;<a \
rel="nofollow">namobud...@gmail.com</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div>Hello Group,</div><div><br></div><div>Is \
there a way to create a rule that will filter for login attempts to multiple accounts \
from the same IP? The goal is to find an attacker whose gained a foothold attempting \
password spraying which would fly under the password policy radar if they do it \
slowly enough.</div><div><br></div><div>I&#39;m also looking for rules for the \
following if anyone has an idea of how to write them.</div><div><br></div><div>-An \
attacker using Powershell Empire (commonly used to own Active Directory \
network)</div><div>-Scanning Activity</div><div>-Long Duration Connections (A \
possible sign of an advanced persistant connection)</div><div>-Concurrent \
Logins</div><div><br></div><div><br></div><div>Thanks,</div><span><font \
color="#888888"><div><br></div></font></span></div><span><font color="#888888">

<p></p>

-- <br>
<br>
--- <br>
You received this message because you are subscribed to the Google Groups \
&quot;ossec-list&quot; group.<br> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
rel="nofollow">ossec-list+...@googlegroups.<wbr>com</a>.<br> For more options, visit \
<a href="https://groups.google.com/d/optout" rel="nofollow" target="_blank" \
onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" \
onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return \
true;">https://groups.google.com/d/<wbr>optout</a>.<br> \
</font></span></blockquote></div><br></div> \
</blockquote></div></div></blockquote></div></div>

<p></p>

-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
&quot;ossec-list&quot; group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>

------=_Part_4538_491076623.1459244181942--



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic