Debugging a rule that fires when tested with ossec-logtest but never fires in production
208 views
Skip to first unread message
Kevin Branch
Jun 2, 2016, 10:45:01 PM6/2/16
to ossec-list
I am running an OSSEC 2.8.3 server and a Windows computer with OSSEC 2.8.3 agent.
The rule simply alerts on Chrome Remote Desktop events.
It uses this custom decoder:
<decoder name="chromoting">
<prematch>: chromoting: \.*chromoting</prematch>
</decoder>
The rule is:
<rule id="100040" level="3">
<decoded_as>chromoting</decoded_as>
<description>Chrome Remote Desktop event - generic</description>
</rule>
My test event is:
2016 Jun 02 21:58:38 (XYZ-O9020) 192.168.15.0->WinEvtLog 2016 Jun 02 17:58:36 WinEvtLog: Application: INFORMATION(1): chromoting: (no user): no domain: XYZ-O9020: Client connected: b...@blabla.com/chromoting754CDB67.
When I feed this to ossec-logtest, the rule fires:
**Phase 3: Completed filtering (rules).
Rule id: '100040'
Level: '3'
Description: 'Chrome Remote Desktop event - generic'
**Alert to be generated.
..but when I trigger the actual event on my OSSEC agent computer, the event only shows up on the OSSEC server in archives.log, never in alerts.log.
I have restarted OSSEC server many times and varied lots of things but I can't get it to fire on the real log event, only in ossec-logtest.
Please advise. I don't have any idea what kinds of rule writing errors can be glossed over by ossec-logtest while causing rule failures in production.
Kevin
dan (ddp)
Jun 3, 2016, 9:41:37 AM6/3/16
to ossec...@googlegroups.com
On Thu, Jun 2, 2016 at 10:42 PM, Kevin Branch
<ke...@branchnetconsulting.com> wrote:
> I am running an OSSEC 2.8.3 server and a Windows computer with OSSEC 2.8.3
> agent.
>
> The rule simply alerts on Chrome Remote Desktop events.
>
> It uses this custom decoder:
>
> <decoder name="chromoting">
> <prematch>: chromoting: \.*chromoting</prematch>
I don't think regex is allowed in the prematch, the docs only mention sregex:
<ke...@branchnetconsulting.com> wrote:
> I am running an OSSEC 2.8.3 server and a Windows computer with OSSEC 2.8.3
> agent.
>
> The rule simply alerts on Chrome Remote Desktop events.
>
> It uses this custom decoder:
>
> <decoder name="chromoting">
> <prematch>: chromoting: \.*chromoting</prematch>
https://ossec.github.io/docs/syntax/head_decoders.html?highlight=prematch#element-decoder.prematch
> </decoder>
>
> The rule is:
>
> <rule id="100040" level="3">
> <decoded_as>chromoting</decoded_as>
> <description>Chrome Remote Desktop event - generic</description>
> </rule>
>
> My test event is:
>
> 2016 Jun 02 21:58:38 (XYZ-O9020) 192.168.15.0->WinEvtLog 2016 Jun 02
> 17:58:36 WinEvtLog: Application: INFORMATION(1): chromoting: (no user): no
> domain: XYZ-O9020: Client connected: b...@blabla.com/chromoting754CDB67.
>
> When I feed this to ossec-logtest, the rule fires:
>
> **Phase 3: Completed filtering (rules).
> Rule id: '100040'
> Level: '3'
> Description: 'Chrome Remote Desktop event - generic'
> **Alert to be generated.
>
> ..but when I trigger the actual event on my OSSEC agent computer, the event
> only shows up on the OSSEC server in archives.log, never in alerts.log.
>
> I have restarted OSSEC server many times and varied lots of things but I
> can't get it to fire on the real log event, only in ossec-logtest.
>
> Please advise. I don't have any idea what kinds of rule writing errors can
> be glossed over by ossec-logtest while causing rule failures in production.
>
**Phase 1: Completed pre-decoding.
full event: '2016 Jun 02 17:58:36 WinEvtLog: Application:
INFORMATION(1): chromoting: (no user): no domain: XYZ-O9020: Client
connected: b...@blabla.com/chromoting754CDB67.'
hostname: 'ipyr'
program_name: 'WinEvtLog'
log: 'Application: INFORMATION(1): chromoting: (no user): no
domain: XYZ-O9020: Client connected:
b...@blabla.com/chromoting754CDB67.'
**Phase 2: Completed decoding.
No decoder matched.
Changing the decoder to this:
<decoder name="chromoting">
<prematch>: chromoting: </prematch>
<program_name>^WinEvtLog</program_name>
</decoder>
it all starts to work.
I run this to get the log into syslog (I don't have a way to test it
any other way that I can think of), so it may not be exactly correct:
# echo 'Application: INFORMATION(1): chromoting: (no user): no domain:
XYZ-O9020: Client connected: b...@blabla.com/chromoting754CDB67.' |
logger -t WinEvtLog
Here's the entry from alerts.log:
** Alert 1464961149.36091: - local,syslog,
2016 Jun 03 09:39:09 ipyr->/var/log/messages
Rule: 100040 (level 3) -> 'Chrome Remote Desktop event - generic'
Jun 3 09:39:07 ipyr WinEvtLog: Application: INFORMATION(1):
I believe this is with a fairly stock 2.8.3, but I'm not positive.
> Kevin
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Kevin Branch
Jun 6, 2016, 5:41:40 PM6/6/16
to ossec-list
Thanks for helping me along. My mistake was I was shoving this into ossec-logtest, log record prefix data and all
2016 Jun 02 21:58:38 (XYZ-O9020) 192.168.15.0->WinEvtLog 2016 Jun 02 17:58:36 WinEvtLog: Application: INFORMATION(1): chromoting: (no user): no domain: XYZ-O9020: Client connected: b...@blabla.com/chromoting754CDB67.
when I should have been feeding it only the actual log record, like this:
2016 Jun 02 17:58:36 WinEvtLog: Application: INFORMATION(1): chromoting: (no user): no domain: XYZ-O9020: Client connected: b...@blabla.com/chromoting754CDB67.
There was no inconsistency with ossec-logtest vs production. It was just me feeding the wrong thing into ossec-logtest.
Problem solved,
Kevin
Reply all
Reply to author
Forward
0 new messages