Aanval Ossec Syslog feed

[Travis Barlow]

Hello

I have Aanval receiving syslog alerts but am having issues with the filters I have implemented not making much difference.  Does anyone had this working and can shed some light?

Thanks
Travis

[SuperheroSmith]

What are the logs you're receiving and trying to parse, and what filters are you using? Are you writing your regex/filters for a Perl environment? I've written many regex; the times I had issues, the regex were the issue, not Aanval.

[Travis Barlow]

Ossec logs to be precise, there is a sample below.

I was trying to write regex/filters for Aanval but they are not making any difference.

Open to ideas

Thanks

TRB

Sample Alert

OSSEC HIDS Notification.
2014 Sep 15 19:21:23

Received From: (W7_pro) 172.16.1.101->WinEvtLog
Rule: 18119 fired (level 3) -> "First time this user logged in this system."
Portion of the log(s):

2014 Sep 15 19:21:01 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: TEST: TEST-PC: TEST-PC: An account was successfully logged on. Subject:  Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:  0x0  Logon Type:   3  New Logon:  Security ID:  S-1-5-21-801123386-2363932431-2319805766-1000  Account Name:  GSA  Account Domain:  TEST-PC  Logon ID:  0xcf2b1  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x0  Process Name:  -  Network Information:  Workstation Name: GSA-1FB4J12  Source Network Address: -  Source Port:  -  Detailed Authentication Information:  Logon Process:  NtLmSsp   Authentication Package: NTLM  Transited Services: -  Package Name (NTLM only): NTLM V2  Key Length:  128  This event is generated when a logon session is created. It is generated on the computer that was accessed.

Travis Barlow

Founder and Executive Director
Atlantic Security Conference

Cell: 902-403-7964

www.atlseccon.com

--
You received this message because you are subscribed to a topic in the Google Groups "Aanval - Snort & Syslog SIEM (Correlation and Threat Management)" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/aanval/Qkbii0cNyFs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to aanval+un...@googlegroups.com.
To post to this group, send email to aan...@googlegroups.com.
Visit this group at http://groups.google.com/group/aanval.
For more options, visit https://groups.google.com/d/optout.

[SuperheroSmith]

The filter below should grab the source IP:

((?<=Source Network Address: )[0-9.]+)

You can modify the first portion to find and target what value you want, such as "Source Port: " or "Workstation Name: ", and then detail the second portion to grab what follows, whether it be digits, letters, or a mix. I found the following links to be helpful:

http://www.rexegg.com/regex-quickstart.html (learn the basics and how to write and use them)

http://regex101.com/#pcre (test your regex with your logs)

Once your tests are successful, add them to Aanval. You'll immediately notice if they're working or not with new data that is imported. The following link also provides some additional helps for filters and Aanval:

http://wiki.aanval.com/wiki/Aanval:Syslog_Sensor_Configuration