'[ossec-list] Re: id "|" or "," ??'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    [ossec-list] Re: id "|" or "," ??
From:       Pedro S <pedro () wazuh ! com>
Date:       2016-03-29 14:47:51
Message-ID: 643a6b0a-e4ba-4720-ab81-8f773f4908f4 () googlegroups ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


I think it is hard to simulate correlation on OSSEC, it has some tools as 
you said like frecuency, timeframe, if_matched_sid, if_matched_group... I 
think the best and simple approach is to create two rules matching the 
ID's, but as far as I know It won't work as you desired.

For example:

   <rule id="18500" level="3">
    <if_sid>18103</if_sid>
    <id>^4000$|^4001$</id>
    <description>Match of Windows Event ID 4000 OR 4001</description>
    <group>authentication_success,pci_dss_10.2.5,</group>
  </rule>


  <rule id="18501" level="3" timeframe="30">
    <if_matched_sid>18500</if_matched_sid>
    <id>^4001$</id>
    <description>Match of Windows Event ID 4000 followed of 4001
</description>
    <group>authentication_success,pci_dss_10.2.5,</group>
  </rule>


The second rule will trigger only if there is a previous match of 4000 or 
4001. I don't know any other approach to solve this.
Maybe we can use active response to execute an script which store the info 
and at some point triggers an alert.

I hope someone can bring us some light here.

Regards,

Pedro S.

On Tuesday, March 29, 2016 at 4:21:36 PM UTC+2, Rob B wrote:
> 
> Thank you for taking the time to answer with examples Pedro!
> 
> One last related question if ya don,t mind..?     I am trying to wrap
> my head around a rule firing off after a simple bit of correlation.
> Is it possible?  I know this is the job of the SIEM, but I am trying
> to get the SIEM to only correlate fired upon alerts that are qualified
> by a mechanism first. So, for example, I would like a rule to fire on
> event 4567 that was followed by 4523 then followed by 4625 between 1
> and 50 times, then a 4624... (when all these things match the rule
> fires)
> 
> I see that rules have the ability of setting frequency and time frame,
> which would help me, though I am at a loss for the remainder of my
> needs.  Seems an external script may be needed along with a sort of
> temporary repository. ( I may be over thinking this and mucking it up
> )
> 
> 
> What could you suggest?
> 
> 
> V/R,
> Rob B.
> 
> On Tuesday, March 29, 2016 at 7:41:21 AM UTC-4, Pedro S wrote:
> > 
> > If you need to filter for one specific ID you need to use the *pipe |* 
> > option, I don't think you can use "," inside *<id></id>* tags to 
> > concatenate anything.
> > "," character will be treated like an string character not a regex one so 
> > it will try to match for *"IDNumber,".*
> > 
> > As you know, one example of this kind of rule is used on 
> > *msauth_rules.xml:*
> > 
> > <rule id="18106" level="5">
> > > <if_sid>18105</if_sid>
> > > 
> > > <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id>
> > > <description>Windows Logon Failure.</description>
> > > 
> > > <group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
> > > </rule>
> > 
> > 
> > This last one will work, and the following one WON'T work:
> > 
> > <rule id="18106" level="5">
> > > <if_sid>18105</if_sid>
> > > <id>^529$,^530$,^531$,^532$,^533$</id>
> > > <description>Windows Logon Failure.</description>
> > > 
> > > <group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
> > > </rule>
> > 
> > 
> > 
> > Regards,
> > 
> > Pedro S.
> > 
> > 
> > 
> > 
> > On Monday, March 28, 2016 at 9:07:30 PM UTC+2, Rob B wrote:
> > > 
> > > Heya Folks,
> > > 
> > > I've been looking for the docs that explain the difference between the 
> > > use of the '|" and the "," when specifying the id numbers within a rule. I 
> > > cant find anything that explains the use.
> > > 
> > > Could someone explain to me the differences by way of use?  or provide a 
> > > link that I may have missed?
> > > 
> > > 
> > > 
> > > Two arbitrary use case EXAMPLES of what I am after is:
> > > 
> > > A.)  Within sid 18103, look for id 12345 followed by 12346, followed by 
> > > 12347
> > > B.)  Within sid 18103, look for id 11234 and 11254
> > > 
> > > 
> > > Thank you!
> > > 
> > > R.B.
> > > 
> > 

-- 

--- 
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.


[Attachment #5 (text/html)]

<div dir="ltr">I think it is hard to simulate correlation on OSSEC, it has some tools \
as you said like frecuency, timeframe, if_matched_sid, if_matched_group... I think \
the best and simple approach is to create two rules matching the ID&#39;s, but as far \
as I know It won&#39;t work as you desired.<div><br></div><div>For \
example:<br><br><div class="prettyprint" style="border: 1px solid rgb(187, 187, 187); \
word-wrap: break-word; background-color: rgb(250, 250, 250);"><code \
class="prettyprint"><div class="subprettyprint"><span style="color: #000;" \
class="styled-by-prettify">     </span><span style="color: #008;" \
class="styled-by-prettify">&lt;rule</span><span style="color: #000;" \
class="styled-by-prettify"> </span><span style="color: #606;" \
class="styled-by-prettify">id</span><span style="color: #660;" \
class="styled-by-prettify">=</span><span style="color: #080;" \
class="styled-by-prettify">&quot;18500&quot;</span><span style="color: #000;" \
class="styled-by-prettify"> </span><span style="color: #606;" \
class="styled-by-prettify">level</span><span style="color: #660;" \
class="styled-by-prettify">=</span><span style="color: #080;" \
class="styled-by-prettify">&quot;3&quot;</span><span style="color: #008;" \
class="styled-by-prettify">&gt;</span><span style="color: #000;" \
class="styled-by-prettify"><br>      </span><span style="color: #008;" \
class="styled-by-prettify">&lt;if_sid&gt;</span><span style="color: #000;" \
class="styled-by-prettify">18103</span><span style="color: #008;" \
class="styled-by-prettify">&lt;/if_sid&gt;</span><span style="color: #000;" \
class="styled-by-prettify"><br>      </span><span style="color: #008;" \
class="styled-by-prettify">&lt;id&gt;</span><span style="color: #000;" \
class="styled-by-prettify">^4000$|^4001$</span><span style="color: #008;" \
class="styled-by-prettify">&lt;/id&gt;</span><span style="color: #000;" \
class="styled-by-prettify"><br>      </span><span style="color: #008;" \
class="styled-by-prettify">&lt;description&gt;</span><span style="color: #000;" \
class="styled-by-prettify">Match of Windows Event ID 4000 OR 4001</span><span \
style="color: #008;" class="styled-by-prettify">&lt;/description&gt;</span><span \
style="color: #000;" class="styled-by-prettify"><br>      </span><span style="color: \
#008;" class="styled-by-prettify">&lt;group&gt;</span><span style="color: #000;" \
class="styled-by-prettify">authentication_success,pci_dss_10.2.5,</span><span \
style="color: #008;" class="styled-by-prettify">&lt;/group&gt;</span><span \
style="color: #000;" class="styled-by-prettify"><br>   </span><span style="color: \
#008;" class="styled-by-prettify">&lt;/rule&gt;</span><span style="color: #000;" \
class="styled-by-prettify"><br><br><br>   </span><span style="color: #008;" \
class="styled-by-prettify">&lt;rule</span><span style="color: #000;" \
class="styled-by-prettify"> </span><span style="color: #606;" \
class="styled-by-prettify">id</span><span style="color: #660;" \
class="styled-by-prettify">=</span><span style="color: #080;" \
class="styled-by-prettify">&quot;18501&quot;</span><span style="color: #000;" \
class="styled-by-prettify"> </span><span style="color: #606;" \
class="styled-by-prettify">level</span><span style="color: #660;" \
class="styled-by-prettify">=</span><span style="color: #080;" \
class="styled-by-prettify">&quot;3&quot;</span><span style="color: #000;" \
class="styled-by-prettify"> </span><span style="color: #606;" \
class="styled-by-prettify">timeframe</span><span style="color: #660;" \
class="styled-by-prettify">=</span><span style="color: #080;" \
class="styled-by-prettify">&quot;30&quot;</span><span style="color: #008;" \
class="styled-by-prettify">&gt;</span><span style="color: #000;" \
class="styled-by-prettify"><br>      </span><span style="color: #008;" \
class="styled-by-prettify">&lt;if_matched_sid&gt;</span><span style="color: #000;" \
class="styled-by-prettify">18500</span><span style="color: #008;" \
class="styled-by-prettify">&lt;/if_matched_sid&gt;</span><span style="color: #000;" \
class="styled-by-prettify"><br>      </span><span style="color: #008;" \
class="styled-by-prettify">&lt;id&gt;</span><span style="color: #000;" \
class="styled-by-prettify">^4001$</span><span style="color: #008;" \
class="styled-by-prettify">&lt;/id&gt;</span><span style="color: #000;" \
class="styled-by-prettify"><br>      </span><span style="color: #008;" \
class="styled-by-prettify">&lt;description&gt;</span><span style="color: #000;" \
class="styled-by-prettify">Match of Windows Event ID 4000 followed of \
4001</span><span style="color: #008;" \
class="styled-by-prettify">&lt;/description&gt;</span><span style="color: #000;" \
class="styled-by-prettify"><br>      </span><span style="color: #008;" \
class="styled-by-prettify">&lt;group&gt;</span><span style="color: #000;" \
class="styled-by-prettify">authentication_success,pci_dss_10.2.5,</span><span \
style="color: #008;" class="styled-by-prettify">&lt;/group&gt;</span><span \
style="color: #000;" class="styled-by-prettify"><br>   </span><span style="color: \
#008;" class="styled-by-prettify">&lt;/rule&gt;</span></div></code></div><div><br></div><div><br></div><div>The \
second rule will trigger only if there is a previous match of 4000 or 4001. I \
don&#39;t know any other approach to solve this.</div><div>Maybe we can use active \
response to execute an script which store the info and at some point triggers an \
alert.</div><div><br></div><div>I hope someone can bring us some light \
here.</div><div><br></div><div>Regards,</div><div><br></div><div>Pedro S.</div><br>On \
Tuesday, March 29, 2016 at 4:21:36 PM UTC+2, Rob B wrote:<blockquote \
class="gmail_quote" style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc \
solid;padding-left: 1ex;"><div dir="ltr"><span \
style="font-family:arial,sans-serif;font-size:12.8px">Thank you for taking the time \
to answer with examples Pedro!</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">One last related question if ya \
don,t mind..?        I am trying to wrap</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">my head around a rule firing \
off after a simple bit of correlation.</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">Is it possible?   I know this \
is the job of the SIEM, but I am trying</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">to get the SIEM to only \
correlate fired upon alerts that are qualified</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">by a mechanism first. So, for \
example, I would like a rule to fire on</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">event 4567 that was followed by \
4523 then followed by 4625 between 1</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">and 50 times, then a 4624... \
(when all these things match the rule</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">fires)</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">I see that rules have the \
ability of setting frequency and time frame,</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">which would help me, though I \
am at a loss for the remainder of my</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">needs.   Seems an external \
script may be needed along with a sort of</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">temporary repository. ( I may \
be over thinking this and mucking it up</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">)</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><br \
style="font-family:arial,sans-serif;font-size:12.8px"><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">What could you \
suggest?</span><br style="font-family:arial,sans-serif;font-size:12.8px"><br \
style="font-family:arial,sans-serif;font-size:12.8px"><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">V/R,</span><br \
style="font-family:arial,sans-serif;font-size:12.8px"><span \
style="font-family:arial,sans-serif;font-size:12.8px">Rob B.</span><br><br>On \
Tuesday, March 29, 2016 at 7:41:21 AM UTC-4, Pedro S wrote:<blockquote \
class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">If you need to filter for one specific ID you \
need to use the <b>pipe |</b> option, I don&#39;t think you can use &quot;,&quot; \
inside <i>&lt;id&gt;&lt;/id&gt;</i> tags to concatenate anything.<div>&quot;,&quot; \
character will be treated like an string character not a regex one so it will try to \
match for <i>&quot;IDNumber<b>,</b>&quot;.</i></div><div><br></div><div>As you know, \
one example of this kind of rule is used on \
<i>msauth_rules.xml:</i></div><div><i><br></i></div><div><blockquote \
class="gmail_quote" style="font-style:italic;margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> \
&lt;rule id=&quot;18106&quot; level=&quot;5&quot;&gt;<br>      \
&lt;if_sid&gt;18105&lt;/if_sid&gt;<br>      \
&lt;id&gt;^529$|^530$|^531$|^532$|^<wbr>533$|^534$|^535$|^536$|^537$|^<wbr>539$|^4625$&lt;/id&gt;<br> \
&lt;description&gt;Windows Logon Failure.&lt;/description&gt;<br>      \
&lt;group&gt;win_authentication_<wbr>failed,pci_dss_10.2.4,pci_dss_<wbr>10.2.5,&lt;/group&gt;<br> \
&lt;/rule&gt;</blockquote><div style="font-style:italic"><br></div><div>This last one \
will work, and the following one WON&#39;T work:</div><div><br></div><div><blockquote \
class="gmail_quote" style="font-style:italic;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> \
&lt;rule id=&quot;18106&quot; level=&quot;5&quot;&gt;<br>      \
&lt;if_sid&gt;18105&lt;/if_sid&gt;<br>      \
&lt;id&gt;^529$,^530$,^531$,^532$,^<wbr>533$&lt;/id&gt;<br>      \
&lt;description&gt;Windows Logon Failure.&lt;/description&gt;<br>      \
&lt;group&gt;win_authentication_<wbr>failed,pci_dss_10.2.4,pci_dss_<wbr>10.2.5,&lt;/group&gt;<br> \
&lt;/rule&gt;</blockquote></div><div><br></div><div \
style="font-style:italic"><br></div><div>Regards,</div><div><br></div><div>Pedro \
S.</div><br>  <br><div><br><br>On Monday, March 28, 2016 at 9:07:30 PM UTC+2, Rob B \
wrote:<blockquote class="gmail_quote" \
style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex"><div \
dir="ltr">Heya Folks,<div><br></div><div>   I&#39;ve been looking for the docs that \
explain the difference between the use of the &#39;|&quot; and the &quot;,&quot; when \
specifying the id numbers within a rule. I cant find anything that explains the \
use.</div><div><br></div><div>Could someone explain to me the differences by way of \
use?   or provide a link that I may have \
missed?</div><div><br></div><div><br></div><div><br></div><div>Two arbitrary use case \
EXAMPLES of what I am after is:</div><div><br></div><div>A.)   Within sid 18103, look \
for id 12345 followed by 12346, followed by 12347</div><div>B.)   Within sid 18103, \
look for id 11234 and 11254</div><div><br></div><div><br></div><div>Thank \
you!</div><div><br></div><div>R.B.</div></div></blockquote></div></div></div></blockquote></div></blockquote></div></div>


<p></p>

-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
&quot;ossec-list&quot; group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>

------=_Part_178_72617009.1459262871365--



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic