[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] Re: id "|" or "," ??
From: Pedro S <pedro () wazuh ! com>
Date: 2016-03-29 14:47:51
Message-ID: 643a6b0a-e4ba-4720-ab81-8f773f4908f4 () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I think it is hard to simulate correlation on OSSEC, it has some tools as
you said like frecuency, timeframe, if_matched_sid, if_matched_group... I
think the best and simple approach is to create two rules matching the
ID's, but as far as I know It won't work as you desired.
For example:
<rule id="18500" level="3">
<if_sid>18103</if_sid>
<id>^4000$|^4001$</id>
<description>Match of Windows Event ID 4000 OR 4001</description>
<group>authentication_success,pci_dss_10.2.5,</group>
</rule>
<rule id="18501" level="3" timeframe="30">
<if_matched_sid>18500</if_matched_sid>
<id>^4001$</id>
<description>Match of Windows Event ID 4000 followed of 4001
</description>
<group>authentication_success,pci_dss_10.2.5,</group>
</rule>
The second rule will trigger only if there is a previous match of 4000 or
4001. I don't know any other approach to solve this.
Maybe we can use active response to execute an script which store the info
and at some point triggers an alert.
I hope someone can bring us some light here.
Regards,
Pedro S.
On Tuesday, March 29, 2016 at 4:21:36 PM UTC+2, Rob B wrote:
>
> Thank you for taking the time to answer with examples Pedro!
>
> One last related question if ya don,t mind..? I am trying to wrap
> my head around a rule firing off after a simple bit of correlation.
> Is it possible? I know this is the job of the SIEM, but I am trying
> to get the SIEM to only correlate fired upon alerts that are qualified
> by a mechanism first. So, for example, I would like a rule to fire on
> event 4567 that was followed by 4523 then followed by 4625 between 1
> and 50 times, then a 4624... (when all these things match the rule
> fires)
>
> I see that rules have the ability of setting frequency and time frame,
> which would help me, though I am at a loss for the remainder of my
> needs. Seems an external script may be needed along with a sort of
> temporary repository. ( I may be over thinking this and mucking it up
> )
>
>
> What could you suggest?
>
>
> V/R,
> Rob B.
>
> On Tuesday, March 29, 2016 at 7:41:21 AM UTC-4, Pedro S wrote:
> >
> > If you need to filter for one specific ID you need to use the *pipe |*
> > option, I don't think you can use "," inside *<id></id>* tags to
> > concatenate anything.
> > "," character will be treated like an string character not a regex one so
> > it will try to match for *"IDNumber,".*
> >
> > As you know, one example of this kind of rule is used on
> > *msauth_rules.xml:*
> >
> > <rule id="18106" level="5">
> > > <if_sid>18105</if_sid>
> > >
> > > <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id>
> > > <description>Windows Logon Failure.</description>
> > >
> > > <group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
> > > </rule>
> >
> >
> > This last one will work, and the following one WON'T work:
> >
> > <rule id="18106" level="5">
> > > <if_sid>18105</if_sid>
> > > <id>^529$,^530$,^531$,^532$,^533$</id>
> > > <description>Windows Logon Failure.</description>
> > >
> > > <group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
> > > </rule>
> >
> >
> >
> > Regards,
> >
> > Pedro S.
> >
> >
> >
> >
> > On Monday, March 28, 2016 at 9:07:30 PM UTC+2, Rob B wrote:
> > >
> > > Heya Folks,
> > >
> > > I've been looking for the docs that explain the difference between the
> > > use of the '|" and the "," when specifying the id numbers within a rule. I
> > > cant find anything that explains the use.
> > >
> > > Could someone explain to me the differences by way of use? or provide a
> > > link that I may have missed?
> > >
> > >
> > >
> > > Two arbitrary use case EXAMPLES of what I am after is:
> > >
> > > A.) Within sid 18103, look for id 12345 followed by 12346, followed by
> > > 12347
> > > B.) Within sid 18103, look for id 11234 and 11254
> > >
> > >
> > > Thank you!
> > >
> > > R.B.
> > >
> >
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
<div dir="ltr">I think it is hard to simulate correlation on OSSEC, it has some tools \
as you said like frecuency, timeframe, if_matched_sid, if_matched_group... I think \
the best and simple approach is to create two rules matching the ID's, but as far \
as I know It won't work as you desired.<div><br></div><div>For \
example:<br><br><div class="prettyprint" style="border: 1px solid rgb(187, 187, 187); \
word-wrap: break-word; background-color: rgb(250, 250, 250);"><code \
class="prettyprint"><div class="subprettyprint"><span style="color: #000;" \
class="styled-by-prettify"> </span><span style="color: #008;" \
class="styled-by-prettify"><rule</span><span style="color: #000;" \
class="styled-by-prettify"> </span><span style="color: #606;" \
class="styled-by-prettify">id</span><span style="color: #660;" \
class="styled-by-prettify">=</span><span style="color: #080;" \
class="styled-by-prettify">"18500"</span><span style="color: #000;" \
class="styled-by-prettify"> </span><span style="color: #606;" \
class="styled-by-prettify">level</span><span style="color: #660;" \
class="styled-by-prettify">=</span><span style="color: #080;" \
class="styled-by-prettify">"3"</span><span style="color: #008;" \
class="styled-by-prettify">></span><span style="color: #000;" \
class="styled-by-prettify"><br> </span><span style="color: #008;" \
class="styled-by-prettify"><if_sid></span><span style="color: #000;" \
class="styled-by-prettify">18103</span><span style="color: #008;" \
class="styled-by-prettify"></if_sid></span><span style="color: #000;" \
class="styled-by-prettify"><br> </span><span style="color: #008;" \
class="styled-by-prettify"><id></span><span style="color: #000;" \
class="styled-by-prettify">^4000$|^4001$</span><span style="color: #008;" \
class="styled-by-prettify"></id></span><span style="color: #000;" \
class="styled-by-prettify"><br> </span><span style="color: #008;" \
class="styled-by-prettify"><description></span><span style="color: #000;" \
class="styled-by-prettify">Match of Windows Event ID 4000 OR 4001</span><span \
style="color: #008;" class="styled-by-prettify"></description></span><span \
style="color: #000;" class="styled-by-prettify"><br> </span><span style="color: \
#008;" class="styled-by-prettify"><group></span><span style="color: #000;" \
class="styled-by-prettify">authentication_success,pci_dss_10.2.5,</span><span \
style="color: #008;" class="styled-by-prettify"></group></span><span \
style="color: #000;" class="styled-by-prettify"><br> </span><span style="color: \
#008;" class="styled-by-prettify"></rule></span><span style="color: #000;" \
class="styled-by-prettify"><br><br><br> </span><span style="color: #008;" \
class="styled-by-prettify"><rule</span><span style="color: #000;" \
class="styled-by-prettify"> </span><span style="color: #606;" \
class="styled-by-prettify">id</span><span style="color: #660;" \
class="styled-by-prettify">=</span><span style="color: #080;" \
class="styled-by-prettify">"18501"</span><span style="color: #000;" \
class="styled-by-prettify"> </span><span style="color: #606;" \
class="styled-by-prettify">level</span><span style="color: #660;" \
class="styled-by-prettify">=</span><span style="color: #080;" \
class="styled-by-prettify">"3"</span><span style="color: #000;" \
class="styled-by-prettify"> </span><span style="color: #606;" \
class="styled-by-prettify">timeframe</span><span style="color: #660;" \
class="styled-by-prettify">=</span><span style="color: #080;" \
class="styled-by-prettify">"30"</span><span style="color: #008;" \
class="styled-by-prettify">></span><span style="color: #000;" \
class="styled-by-prettify"><br> </span><span style="color: #008;" \
class="styled-by-prettify"><if_matched_sid></span><span style="color: #000;" \
class="styled-by-prettify">18500</span><span style="color: #008;" \
class="styled-by-prettify"></if_matched_sid></span><span style="color: #000;" \
class="styled-by-prettify"><br> </span><span style="color: #008;" \
class="styled-by-prettify"><id></span><span style="color: #000;" \
class="styled-by-prettify">^4001$</span><span style="color: #008;" \
class="styled-by-prettify"></id></span><span style="color: #000;" \
class="styled-by-prettify"><br> </span><span style="color: #008;" \
class="styled-by-prettify"><description></span><span style="color: #000;" \
class="styled-by-prettify">Match of Windows Event ID 4000 followed of \
4001</span><span style="color: #008;" \
class="styled-by-prettify"></description></span><span style="color: #000;" \
class="styled-by-prettify"><br> </span><span style="color: #008;" \
class="styled-by-prettify"><group></span><span style="color: #000;" \
class="styled-by-prettify">authentication_success,pci_dss_10.2.5,</span><span \
style="color: #008;" class="styled-by-prettify"></group></span><span \
style="color: #000;" class="styled-by-prettify"><br> </span><span style="color: \
#008;" class="styled-by-prettify"></rule></span></div></code></div><div><br></div><div><br></div><div>The \
second rule will trigger only if there is a previous match of 4000 or 4001. I \
don't know any other approach to solve this.</div><div>Maybe we can use active \
response to execute an script which store the info and at some point triggers an \
alert.</div><div><br></div><div>I hope someone can bring us some light \
here.</div><div><br></div><div>Regards,</div><div><br></div><div>Pedro S.</div><br>On \
Tuesday, March 29, 2016 at 4:21:36 PM UTC+2, Rob B wrote:<blockquote \
class="gmail_quote" style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc \
solid;padding-left: 1ex;"><div dir="ltr"><span \
style="font-family:arial,sans-serif;font-size:12.8px">Thank you for taking the time \
to answer with examples Pedro!</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">One last related question if ya \
don,t mind..? I am trying to wrap</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">my head around a rule firing \
off after a simple bit of correlation.</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">Is it possible? I know this \
is the job of the SIEM, but I am trying</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">to get the SIEM to only \
correlate fired upon alerts that are qualified</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">by a mechanism first. So, for \
example, I would like a rule to fire on</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">event 4567 that was followed by \
4523 then followed by 4625 between 1</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">and 50 times, then a 4624... \
(when all these things match the rule</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">fires)</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">I see that rules have the \
ability of setting frequency and time frame,</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">which would help me, though I \
am at a loss for the remainder of my</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">needs. Seems an external \
script may be needed along with a sort of</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">temporary repository. ( I may \
be over thinking this and mucking it up</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">)</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><br \
style="font-family:arial,sans-serif;font-size:12.8px"><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">What could you \
suggest?</span><br style="font-family:arial,sans-serif;font-size:12.8px"><br \
style="font-family:arial,sans-serif;font-size:12.8px"><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">V/R,</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">Rob B.</span><br><br>On \
Tuesday, March 29, 2016 at 7:41:21 AM UTC-4, Pedro S wrote:<blockquote \
class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">If you need to filter for one specific ID you \
need to use the <b>pipe |</b> option, I don't think you can use "," \
inside <i><id></id></i> tags to concatenate anything.<div>"," \
character will be treated like an string character not a regex one so it will try to \
match for <i>"IDNumber<b>,</b>".</i></div><div><br></div><div>As you know, \
one example of this kind of rule is used on \
<i>msauth_rules.xml:</i></div><div><i><br></i></div><div><blockquote \
class="gmail_quote" style="font-style:italic;margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> \
<rule id="18106" level="5"><br> \
<if_sid>18105</if_sid><br> \
<id>^529$|^530$|^531$|^532$|^<wbr>533$|^534$|^535$|^536$|^537$|^<wbr>539$|^4625$</id><br> \
<description>Windows Logon Failure.</description><br> \
<group>win_authentication_<wbr>failed,pci_dss_10.2.4,pci_dss_<wbr>10.2.5,</group><br> \
</rule></blockquote><div style="font-style:italic"><br></div><div>This last one \
will work, and the following one WON'T work:</div><div><br></div><div><blockquote \
class="gmail_quote" style="font-style:italic;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> \
<rule id="18106" level="5"><br> \
<if_sid>18105</if_sid><br> \
<id>^529$,^530$,^531$,^532$,^<wbr>533$</id><br> \
<description>Windows Logon Failure.</description><br> \
<group>win_authentication_<wbr>failed,pci_dss_10.2.4,pci_dss_<wbr>10.2.5,</group><br> \
</rule></blockquote></div><div><br></div><div \
style="font-style:italic"><br></div><div>Regards,</div><div><br></div><div>Pedro \
S.</div><br> <br><div><br><br>On Monday, March 28, 2016 at 9:07:30 PM UTC+2, Rob B \
wrote:<blockquote class="gmail_quote" \
style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex"><div \
dir="ltr">Heya Folks,<div><br></div><div> I've been looking for the docs that \
explain the difference between the use of the '|" and the "," when \
specifying the id numbers within a rule. I cant find anything that explains the \
use.</div><div><br></div><div>Could someone explain to me the differences by way of \
use? or provide a link that I may have \
missed?</div><div><br></div><div><br></div><div><br></div><div>Two arbitrary use case \
EXAMPLES of what I am after is:</div><div><br></div><div>A.) Within sid 18103, look \
for id 12345 followed by 12346, followed by 12347</div><div>B.) Within sid 18103, \
look for id 11234 and 11254</div><div><br></div><div><br></div><div>Thank \
you!</div><div><br></div><div>R.B.</div></div></blockquote></div></div></div></blockquote></div></blockquote></div></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
------=_Part_178_72617009.1459262871365--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic