Ossec rules matching order and other

[Issam Aouad Tabet]

Hey everyone,

I am windering if anyone can help me with these two questions:

1. I am using ossec-logtest file to test my rules in order to match with some Windows logs. Does anyone know in which order are the rules tested?
It seems it is not ID number order..

2. Here is the default predefined rule that mathes all windows events:
<group name="windows,">
  <rule id="18100" level="6">
    <category>windows</category>
    <description>Group of windows rules.</description>
  </rule>

How is this being linked with windows events logs decoder in ossec/etc/decoder.xml? Can anyone explain why is this matching all windows events? Is it through the category tag? Because there is no "match" tag..

Thanks a lot!!

[dan (ddp)]

Yes, it's the category tag. Here's the windows decoder:
<decoder name="windows">
<type>windows</type>
<prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog:
|^WinEvtLog: </prematch>
<regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+): </regex>
<order>status, id, extra_data, user, system_name</order>
<fts>name, location, user, system_name</fts>
</decoder>

The <type> option sets log messages that match that decoder to "windows."
The rules use that as a category. So basically anything that matches
the windows decoder should automagically trigger rule 18100.
This is preferable to just matching the decoder, because a number of
decoders can set the same type.

> Thanks a lot!!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Jesus Linares]

Hi Issam,

regarding to the rule order, OSSEC checks a rule and its childs recursively. Try to launch ossec-logtest with argument -v:

log: '2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-U93G48C7BOP: Process Create:  UtcTime: 12/20/2014 2:29 PM  ProcessGuid: {00000000-87DB-5495-0000-001045F25A00}  ProcessId: 3048  Image: C:\Windows\system32\svchost.exe  CommandLine: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\Desktop\ossec.log  User: WIN-U93G48C7BOP\Administrator  LogonGuid: {00000000-84B8-5494-0000-0020CB330200}  LogonId: 0x233CB  TerminalSessionId: 1  IntegrityLevel: High  HashType: SHA1  Hash: 9FEF303BEDF8430403915951564E0D9888F6F365  ParentProcessGuid: {00000000-84B9-5494-0000-0010BE4A0200}  ParentProcessId: 848  ParentImage: C:\Windows\Explorer.EXE  ParentCommandLine: C:\Windows\Explorer.EXE'


**Phase 2: Completed decoding.
       decoder: 'windows'
       status: 'C:\Windows\system32\svchost.exe'
       dstuser: 'WIN-U93G48C7BOP\Administrator'
       url: '9FEF303BEDF8430403915951564E0D9888F6F365'
       extra_data: 'C:\Windows\Explorer.EXE'


**Rule debugging:
    Trying rule: 6 - Generic template for all windows rules.
       *Rule 6 matched.
       *Trying child rules.
    Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
    Trying rule: 18100 - Group of windows rules.
       *Rule 18100 matched.
       *Trying child rules.
    Trying rule: 18101 - Windows informational event.
    Trying rule: 18102 - Windows warning event.
    Trying rule: 18104 - Windows audit success event.
    Trying rule: 184666 - Sysmon - Suspicious Process - svchost.exe
       *Rule 184666 matched.
       *Trying child rules.
    Trying rule: 184667 - Sysmon - Legitimate Parent Image - svchost.exe


**Phase 3: Completed filtering (rules).
       Rule id: '184666'
       Level: '12'
       Description: 'Sysmon - Suspicious Process - svchost.exe'
**Alert to be generated.

Regards.