Please help with CDB lists....

42 views
Skip to first unread message

Brent Morris

unread,
Mar 31, 2015, 4:52:51 PM3/31/15
to ossec...@googlegroups.com
Raw Log...

2015 Mar 31 11:37:27 WinEvtLog: System: INFORMATION(1): Sysmon: Username: SYSTEM-NAME: SYSTEM-NAME: Process Create:      UtcTime: 3/31/2015 06:37:27.465 PM      ProcessGuid: {7531FA7E-E967-551A-0000-0010D2A58706}      ProcessId: 5868      Image: C:\Folder\Folder\file.exe      CommandLine: C:\Folder\Folder\file.exe       User: DOMAIN\Username      LogonGuid: {7531FA7E-E963-551A-0000-0020EB238706}      LogonId: 0x68723eb      TerminalSessionId: 1      IntegrityLevel: no level      HashType: SHA1      Hash: 19AF48C6B036E722D74FA00C4E852774236D2F38      ParentProcessGuid: {7531FA7E-E965-551A-0000-0010038F8706}      ParentProcessId: 476      ParentImage: C:\Folder\Folder\Parent.exe      ParentCommandLine: "C:\Folder\Folder\Parent.exe"

Decoded...

**Phase 2: Completed decoding.
       decoder: 'windows'
       status: 'C:\Folder\Folder\file.exe'
       dstuser: 'DOMAIN\Username'
       url: '19AF48C6B036E722D74FA00C4E852774236D2F38'
       extra_data: 'C:\Folder\Folder\Parent.exe'

**Phase 3: Completed filtering (rules).
       Rule id: '100242'
       Level: '12'
       Description: 'Unauthorized Process Detected'
**Alert to be generated.


Rules...

<rule id="100241" level="0">
  <if_sid>18100</if_sid>
  <list field="url">rules/lists/filelist</list>
  <description>Authorized Process</description>
</rule>

<rule id="100242" level="12">
  <if_sid>18100</if_sid>
  <list field="url" lookup="not_match_key">rules/lists/filelist</list>
  <description>Unauthorized Process</description>
</rule>

CDB file contents...

19AF48C6B036E722D74FA00C4E852774236D2F38:file.exe

Goal:

I would like to monitor a system for expected behavior and receive alerts when unexpected behavior occurs.  I have a list of SHA1 hashes of the executables as in the CDB file contents above.  I simply want an alert when there are processes executed from this system outside of its baseline.

Issue:  

I cannot get a MATCH to work in the CDB.  Maybe its something simple and I've just been looking at this too long.  I've commented out the 100242 rule and I cannot get 100241 to work.  

Much of the documentation supports no file extensions on the cdb lists in the ossec.conf and in the rules.xml - although I can find examples where people have included extensions...

Maybe something silly I've overlooked?  Please... someone slap some sense into me!!! 

Thank you!




DefensiveDepth

unread,
Mar 31, 2015, 6:05:32 PM3/31/15
to ossec...@googlegroups.com
1) Confirm that you have the list referenced in ossec.conf  ie <list>lists/psexec</list>

2) Create the cdb file with no extension ie vi /var/ossec/lists/psexec
3) Run: /var/ossec/bin/ossec-makelists, it should create a file named psexec.cdb in the lists folder

MaWhen doing my first CDB list a couple months back I ran into some weird issues with the ossec-makelists & file extensions...  The above are my raw notes that eventually worked....

-Josh

Brent Morris

unread,
Apr 1, 2015, 12:29:06 PM4/1/15
to ossec...@googlegroups.com
I found it...

the issue was that I prepended a / ossec.conf <list>

bad
<list>/lists/filename</list>

good!
<list>lists/filename</list>


Thanks for your help!
Reply all
Reply to author
Forward
0 new messages