Ossec/master#504
Conversation
Here’s sample:
2015 Jan 26 10:32:34 (ossec.test) 172.16.64.192->WinEvtLog 2015 Jan 26
10:32:29 WinEvtLog: Security: AUDIT_SUCCESS(4624):
Microsoft-Windows-Security-Auditing: Administrator: WIN-2MFFK74V479:
WIN-2MFFK74V479: An account was successfully logged on. Subject:
Security ID: S-1-5-18 Account Name: WIN-2MFFK74V479$ Account
Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon:
Security ID: S-1-5-21-4038505936-601472641-3673143146-500 Account
Name: Administrator Account Domain: WIN-2MFFK74V479 Logon ID:
0x3554167 Logon GUID: {00000000-0000-0000-0000-000000000000} Process
Information: Process ID: 0x21c Process Name:
C:\Windows\System32\winlogon.exe Network Information: Workstation
Name: WIN-2MFFK74V479 Source Network Address: 127.0.0.1 Source Port:
0 Detailed Authentication Information: Logon Process: User32
Authentication Package: Negotiate Transited Services: - Package Name
(NTLM only): - Key Length: 0 This event is generated when a logon
session is created. It is generated on the computer that was accessed.
There was a problem hiding this comment.
I would think this would be better if you matched with something like:
<match>Logon Type:\W+2 </match>
^ ^-notice the space
\--- Anything other then A-Z, a-z, 0-9, '-', '@'
The reason is that this will match 2, 211, 21 just about anything starting with a 2
There was a problem hiding this comment.
yes, it's 3 spaces, default by microsoft win event. And i see windows logon event only maxium logon type =11
|
Could you also include an example of the log line this matches so that we know all the details of what is going on. If you look at https://github.com/ossec/ossec-hids/tree/master/contrib/ossec-testing we also have an testing framework for logs. Might want to add this into that so regressions do not happen if other things change around this log line. |
|
@jrossi : sorry, but can guide me use ossec-testing? I offer only use ossec-logtest on server |
|
Sorry busy week. Ossec testing is basiclly just an INI file is contrib/ossec-testing/tests/ that has a log line and the expected output. Should be simple to do, but to run them you must have python on the system as it calls into ossec-logtest to do it's work. You can call it form the Makefile |
|
@hyn172 does the ossec-testing stuff make sense? Anything else you were wondering about after looking at the files (if you had time, which is hard to come by i know). |
|
@hyn172 can you provide some log samples that would trigger your new rule? I could write the ossec-testing stuff so this can be included to 2.9. |
|
Sorry, my country, we have spent tet holiday in two weeks. So, next week, On Sat, Feb 14, 2015 at 2:26 AM, Christian Beer notifications@github.com
Thanks & Best Regards. |
|
@hyn172 it's been a while on this. We are working on getting 2.9 ready. Are you able to provide some log samples? |
|
@hyn172 as we don't have anything to test this with and it's effect on other rules could be an issue we are going need some sample before we can merge. Review status: 0 of 1 files reviewed at latest revision, all discussions resolved. Comments from the review on Reviewable.io |
4 participants
This change is