Applocker Local Rule Help

[Rob B]

Hi Folks,

   I have a rule for applocker created as follows:

<rule id="100046" level="12">

 <if_sid>18103</if_sid>

  <status>^8004$</status>

 <description>AppLocker - blocked program.</description>

</rule>

Problem:   I only see the windows "error event" as a level "5" coming in from sid 18103, the error event contains all teh information I am looking for.

 But my rule 100046 above does nothing.

As additional info, I also have the following rule:

<rule id="100045" level="12" >

  <if_sid>18100</if_sid>

  <status>^8003$|^8004$</status>

  <description>Applocker - blocked program.</description>

</rule>

(Could this possibly cause a conflict?)

Question: Overall, Could someone shed some light here as to why rule 100046 does not fire? 

Thanks!!!

Rob

[dan (ddp)]

Can you provide a log sample?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Rob B]

dan,

  I have this from the alerts log:

** Alert 1461339927.2762520: - windows,system_error,

2016 Apr 22 08:45:27 (VICTIM0) 10.0.1.100->WinEvtLog

Rule: 18103 (level 5) -> 'Windows error event.'

User: cuckoo

2016 Apr 22 11:46:32 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004): Microsoft-Windows-AppLocker: user:  VICTIM0.domain.com: \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from running.

Side note: I have been running logtest and executing the play, though nothing shows in logtest.  Should I see the event fire as output in my terminal session?

Thanks, Rob

[dan (ddp)]

On Fri, Apr 22, 2016 at 11:50 AM, Rob B <rba...@netorian.com> wrote:
> dan,
>
> I have this from the alerts log:
>
> ** Alert 1461339927.2762520: - windows,system_error,
> 2016 Apr 22 08:45:27 (VICTIM0) 10.0.1.100->WinEvtLog
> Rule: 18103 (level 5) -> 'Windows error event.'
> User: cuckoo
> 2016 Apr 22 11:46:32 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL:
> ERROR(8004): Microsoft-Windows-AppLocker: user: VICTIM0.domain.com:
> \\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from running.
>

Ok, so I installed 2.8.3 and here is what a vanilla 2.8.3's
ossec-logtest gives us for this log message:
**Phase 1: Completed pre-decoding.
full event: '2016 Apr 22 11:46:32 WinEvtLog:

Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004):
Microsoft-Windows-AppLocker: user: VICTIM0.domain.com:
\\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from

running.'
hostname: 'ipyr'
program_name: '(null)'
log: '2016 Apr 22 11:46:32 WinEvtLog:

Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004):
Microsoft-Windows-AppLocker: user: VICTIM0.domain.com:
\\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from

running.'

**Phase 2: Completed decoding.
decoder: 'windows'

**Phase 3: Completed filtering (rules).
Rule id: '18100'
Level: '0'
Description: 'Group of windows rules.'

Unfortunately it doesn't decode the status field, and triggers 18100
instead of 18103.

Adding the following decoder gets me to the same point you're at:
<decoder name="windows-applocker">
<parent>windows</parent>
<type>windows</type>
<prematch>WinEvtLog: Microsoft-Windows-AppLocker</prematch>
<regex offset="after_prematch">: (ERROR)\p(\d+)</regex>
<order>status,id</order>
</decoder>

Notice that the status field will be "ERROR" and the id field will be
"8004." The logtest follows, with the final rule after that.


logtest:
**Phase 1: Completed pre-decoding.
full event: '2016 Apr 22 11:46:32 WinEvtLog:

Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004):
Microsoft-Windows-AppLocker: user: VICTIM0.domain.com:
\\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from

running.'
hostname: 'ipyr'
program_name: '(null)'
log: '2016 Apr 22 11:46:32 WinEvtLog:

Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004):
Microsoft-Windows-AppLocker: user: VICTIM0.domain.com:
\\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from

running.'

**Phase 2: Completed decoding.
decoder: 'windows'
status: 'ERROR'
id: '8004'

**Phase 3: Completed filtering (rules).
Rule id: '18103'
Level: '5'
Description: 'Windows error event.'
**Alert to be generated.

So I modified the rule you posted like so:

<rule id="100046" level="12">
<if_sid>18103</if_sid>

<status>ERROR</status> <!-- The status will be ERROR -->
<id>^8004$</id> <!-- Windows decoders seem to prefer
id for this type of info -->

<description>AppLocker - blocked program.</description>
</rule>

Using that rule gives me the following output:
**Phase 1: Completed pre-decoding.
full event: '2016 Apr 22 11:46:32 WinEvtLog:

Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004):
Microsoft-Windows-AppLocker: user: VICTIM0.domain.com:
\\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from

running.'
hostname: 'ipyr'
program_name: '(null)'
log: '2016 Apr 22 11:46:32 WinEvtLog:

Microsoft-Windows-AppLocker/EXE and DLL: ERROR(8004):
Microsoft-Windows-AppLocker: user: VICTIM0.domain.com:
\\10.0.1.10\SHARE\MALWARE_FOR_DEMO\PSCP.EXE was prevented from

running.'

**Phase 2: Completed decoding.
decoder: 'windows'
status: 'ERROR'
id: '8004'

**Phase 3: Completed filtering (rules).
Rule id: '100046'
Level: '12'
Description: 'AppLocker - blocked program.'
**Alert to be generated.

[Rob B]

Very interesting....   and thanks a lot dan!!!!

I guess I need to fix my logtest too, it probably would have helped me figure it out.    Thanks again!!  ;-)

Rob

[dan (ddp)]

On Fri, Apr 22, 2016 at 12:42 PM, Rob B <rba...@netorian.com> wrote:
> Very interesting.... and thanks a lot dan!!!!
>
> I guess I need to fix my logtest too, it probably would have helped me
> figure it out. Thanks again!! ;-)
>

No problem. If you post which version of OSSEC you're using, and the
logtest output, we might be able to help.

[Rob B]

dan,

  quick question for <match> :

What is the best way to take care of whitespace and a quote in string example?,  such as:

<match>^route-null.cmd" delete</match>

Thanks!, Rob

[dan (ddp)]

On Fri, Apr 22, 2016 at 3:34 PM, Rob B <rba...@netorian.com> wrote:
> dan,
>
> quick question for <match> :
>
> What is the best way to take care of whitespace and a quote in string
> example?, such as:
>
> <match>^route-null.cmd" delete</match>
>

For a <match> it should be exact. I think the quote should be fine as is.