About new OSSEC's dynamic decoders

[Kyriakos Stavridis]

Hey guys, so I really like the new dynamic decoders. But how can I use a dynamic field to trigger a rule?

Lets say I extract md5 into a dynamic field with a decoder <order>md5</order>

I can't use the tag <md5>XXXXXXX</md5> into any rule.

How am I supposed to check the value I extracted with the decoder?

Thanks

[Yana Zaeva]

Hi Kyriakos,

It seems that this feature is not available for OSSEC (you can check an older thread about it here). However, as mentioned in the thread, you can use Wazuh to achieve that goal:

**Phase 1: Completed pre-decoding.
       full event: '2017 Mar 02 04:04:22 WinEvtLog: Security: AUDIT_FAILURE(4656): Microsoft-Windows-Security-Auditing: (no user): no domain: Desktop: A handle to an object was requested.    Subject:   Security ID:  S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX   Account Name:  Subject1  Account Domain:  DESKTOP   Logon ID:  0xXXXXX    Object:   Object Server:  Security   Object Type:  File   Object Name:  C:\Users\Subject2\Documents\Private.txt   Handle ID:  0xXXX   Resource Attributes: -    Process Information:   Process ID:  0xXXX   Process Name:  C:\Windows\System32\notepad.exe    Access Request Information:   Transaction ID:  {00000000-0000-0000-0000-000000000000}   Accesses:  SYNCHRONIZE      ReadData (or ListDirectory)         Access Reasons:  SYNCHRONIZE: Granted by      D:(A;;0x1200a9;;;BU)      ReadData (or ListDirectory): Granted by  D:(A;;0x1200a9;;;BU)         Access Mask:  0x100001   Privileges Used for Access Check: -   Restricted SID Count: 0'
       hostname: 'ip-10-0-0-10'
       program_name: 'WinEvtLog'
       log: 'Security: AUDIT_FAILURE(4656): Microsoft-Windows-Security-Auditing: (no user): no domain: Desktop: A handle to an object was requested.    Subject:   Security ID:  S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX   Account Name:  Subject1  Account Domain:  DESKTOP   Logon ID:  0xXXXXX    Object:   Object Server:  Security   Object Type:  File   Object Name:  C:\Users\Subject2\Documents\Private.txt   Handle ID:  0xXXX   Resource Attributes: -    Process Information:   Process ID:  0xXXX   Process Name:  C:\Windows\System32\notepad.exe    Access Request Information:   Transaction ID:  {00000000-0000-0000-0000-000000000000}   Accesses:  SYNCHRONIZE      ReadData (or ListDirectory)         Access Reasons:  SYNCHRONIZE: Granted by     D:(A;;0x1200a9;;;BU)      ReadData (or ListDirectory): Granted by       D:(A;;0x1200a9;;;BU)         Access Mask:  0x100001   Privileges Used for Access Check: -   Restricted SID Count: 0'

**Phase 2: Completed decoding.
       decoder: 'windows'
       status: 'AUDIT_FAILURE'
       id: '4656'
       extra_data: 'Microsoft-Windows-Security-Auditing'
       dstuser: '(no user)'
       system_name: 'Desktop'
       account_name: 'Subject1'
       account_domain: 'DESKTOP'
       logon_id: '0xXXXXX'
       accesses: ' SYNCHRONIZE      ReadData (or ListDirectory)         Access Reasons:  SYNCHRONIZE: Granted by        D:(A;;0x1200a9;;;BU)      ReadData (or ListDirectory): Granted by  D:(A;;0x1200a9;;;BU)'
       target_file: 'C:\Users\Subject2\Documents\Private.txt'

**Phase 3: Completed filtering (rules).
       Rule id: '200000'
       Level: '5'
       Description: 'Unauthorized object access by Subject1'
**Alert to be generated.

You can check this link for further information.

Hope this helps. Let me know if you need anything else.

Regards,

Yana.

​