Symantec-av decoder issues
761 views
Skip to first unread message
eholl...@gmail.com
Apr 5, 2016, 3:03:34 PM4/5/16
to Wazuh mailing list
Hi All,
I'd like to start off by mentioning that I am new to working with OSSEC. I have successfully configured our OSSEC server (which also happens to be our Security Onion server) to ingest Symantec logs. I have opened a specific port, and verified that ossec-remoted service is listening on that port. Next, we have pointed Symantec syslog files to be sent to this server, and I can confirm that we are receiving them. I am seeing some OSSEC decoded alerts, but not seeing any fire for a detected virus.
An example alert that I am seeing decoded by OSSEC:
Alert Level: 2; Rule: 1002 - Unknown problem somewhere in the system.; Location: SymantecServer->xxx.xxx.xxx.xxx; Apr 5 12:16:37 SymantecServer <SERVERNAME>: <end user hostname>,Category: 2,LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 (hub) from LiveUpdate failed to install. Error: Prepackage callback failed (200)
I have since tested some virus alerts with an EICAR file and can verify that a syslog alert is being sent to the OSSEC Server:
Virus found,IP Address: xxx.xxx.xxx,Computer name: <endpoint hostname>,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,<file path>\\eicar.com,'',Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2016-04-01 19:12:56,Inserted: 2016-04-01 19:14:05,End: 2016-04-01 19:12:56,Last update time: 2016-04-01 19:14:05,Domain: <DOMAIN NAME>,Group:<AV Group>,Server: <Symantec server hostname>,User: <username>,Source computer: ,Source IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: ,MDS,Application hash: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F,Hash type: SHA2,Company name: ,Application name: eicar.com,Application version: ,Application type: 127,File size (bytes): 68,Category set: Malware,Category type: Virus
The issue that I am seeing is that this string is not being decoded via OSSEC. My initial thought is that the symantec-av decoder is looking for sid 7300 or 7301, and if it detects that it will create a 'Virus detected' OSSEC alert. Is this correct? Is my issue that the Symantec syslog just isn't sending the sid?
Additional details:
I'd like to start off by mentioning that I am new to working with OSSEC. I have successfully configured our OSSEC server (which also happens to be our Security Onion server) to ingest Symantec logs. I have opened a specific port, and verified that ossec-remoted service is listening on that port. Next, we have pointed Symantec syslog files to be sent to this server, and I can confirm that we are receiving them. I am seeing some OSSEC decoded alerts, but not seeing any fire for a detected virus.
An example alert that I am seeing decoded by OSSEC:
Alert Level: 2; Rule: 1002 - Unknown problem somewhere in the system.; Location: SymantecServer->xxx.xxx.xxx.xxx; Apr 5 12:16:37 SymantecServer <SERVERNAME>: <end user hostname>,Category: 2,LiveUpdate Manager,An update for Virus and Spyware Definitions Win32 (hub) from LiveUpdate failed to install. Error: Prepackage callback failed (200)
I have since tested some virus alerts with an EICAR file and can verify that a syslog alert is being sent to the OSSEC Server:
Virus found,IP Address: xxx.xxx.xxx,Computer name: <endpoint hostname>,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,<file path>\\eicar.com,'',Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2016-04-01 19:12:56,Inserted: 2016-04-01 19:14:05,End: 2016-04-01 19:12:56,Last update time: 2016-04-01 19:14:05,Domain: <DOMAIN NAME>,Group:<AV Group>,Server: <Symantec server hostname>,User: <username>,Source computer: ,Source IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: ,MDS,Application hash: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F,Hash type: SHA2,Company name: ,Application name: eicar.com,Application version: ,Application type: 127,File size (bytes): 68,Category set: Malware,Category type: Virus
The issue that I am seeing is that this string is not being decoded via OSSEC. My initial thought is that the symantec-av decoder is looking for sid 7300 or 7301, and if it detects that it will create a 'Virus detected' OSSEC alert. Is this correct? Is my issue that the Symantec syslog just isn't sending the sid?
Additional details:
- symantec-av_rules.xml and symantec-ws_rules.xml are both included in my ossec.conf file.
- I'm not seeing any errors related to this in /var/ossec/logs/ossec.log
Please let me know if there is any additional info you may need. Thank you all very much for the help!
Eric
Pedro S
Apr 7, 2016, 9:42:34 AM4/7/16
to Wazuh mailing list
Hi Eric,
In order to trigger alert 7310 "Virus detected" the Symantec event ID should be 5 or 17.
Sorry for late response, we are preparing a bunch of new features!
Seems like Symantec decoders and rules are pretty simple so they won't decode any complex event.
Your log is not being decoded by Symantec decoders:
**Phase 1: Completed pre-decoding.
full event: 'Virus found,IP Address: xxx.xxx.xxx,Computer name: <endpoint hostname>,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,<file path>\\eicar.com,'',Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2016-04-01 19:12:56,Inserted: 2016-04-01 19:14:05,End: 2016-04-01 19:12:56,Last update time: 2016-04-01 19:14:05,Domain: <DOMAIN NAME>,Group:<AV Group>,Server: <Symantec server hostname>,User: <username>,Source computer: ,Source IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: ,MDS,Application hash: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F,Hash type: SHA2,Company name: ,Application name: eicar.com,Application version: ,Application type: 127,File size (bytes): 68,Category set: Malware,Category type: Virus'
hostname: 'ubuntu5'
program_name: '(null)'
log: 'Virus found,IP Address: xxx.xxx.xxx,Computer name: <endpoint hostname>,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,<file path>\\eicar.com,'',Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2016-04-01 19:12:56,Inserted: 2016-04-01 19:14:05,End: 2016-04-01 19:12:56,Last update time: 2016-04-01 19:14:05,Domain: <DOMAIN NAME>,Group:<AV Group>,Server: <Symantec server hostname>,User: <username>,Source computer: ,Source IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: ,MDS,Application hash: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F,Hash type: SHA2,Company name: ,Application name: eicar.com,Application version: ,Application type: 127,File size (bytes): 68,Category set: Malware,Category type: Virus'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1003'
Level: '13'
Description: 'Non standard syslog message (size too large).
One example of a Symantec event that OSSEC could read is:
240801012128,5,1,720997,RBLWAP,SYSTEM,Trojan.Zlob,C:\WINDOWS\system32\ld100.tmp,5,4,4,256,570441764,"",0,,0,,0,4254,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
**Phase 1: Completed pre-decoding.
full event: '240801012128,5,1,720997,RBLWAP,SYSTEM,Trojan.Zlob,C:\WINDOWS\system32\ld100.tmp,5,4,4,256,570441764,"",0,,0,,0,4254,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825'
hostname: 'ubuntu5'
program_name: '(null)'
log: '240801012128,5,1,720997,RBLWAP,SYSTEM,Trojan.Zlob,C:\WINDOWS\system32\ld100.tmp,5,4,4,256,570441764,"",0,,0,,0,4254,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825'
**Phase 2: Completed decoding.
decoder: 'symantec-av'
id: '5'
system_name: 'RBLWAP'
extra_data: 'SYSTEM'
**Phase 3: Completed filtering (rules).
Rule id: '7310'
Level: '9'
Description: 'Virus detected.'
In order to trigger alert 7310 "Virus detected" the Symantec event ID should be 5 or 17.
Please forward us more logs so we can review them and try to help you creating a new rules and decoders. I think it is very positive to expand Symantec rules.
Best regards,
Pedro S.
eholl...@gmail.com
Apr 8, 2016, 4:16:49 PM4/8/16
to Wazuh mailing list
Pedro,
Thank you for getting back to me. When I run some of the logs against ossec-logtest I get a "Unknown problem somewhere in the system", but still nothing for the virus alerts, as well as some of the windows process protection alerts. As of now I think the most benefit would be in decoding the virus detection alerts, but I've included some other logs for example. Please see below for some additional examples:
<Hostname>,Blocked,,File Write,Begin: 2016-04-08 11:57:19,End: 2016-04-08 11:57:19,Rule: Windows processes protection | [AC19-1.1] Block writing code,2116,C:/Windows/System32/<example_exe_file>,0,No Module Name,C:/Windows/System32/<example>.dll,User: SYSTEM,Domain: DOMAIN,Action Type: ,File size (bytes): 378368,Device ID: IDE\\DiskSAMSUNG_MZ7PC128HAFU-000H1______________CXM05H1Q\\4&297f7698&0&0.0.0
Virus found,IP Address: xxx.xxx.xxx,Computer name: HOSTNAME,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:\\Users\\user\\Downloads\\eicar_com (1)\\eicar.com,'',Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2016-04-08 20:02:13,Inserted: 2016-04-08 20:02:28,End: 2016-04-08 20:02:13,Last update time: 2016-04-08 20:02:28,Domain: DOMAIN,Group: GROUP,Server: HOSTNAME,User: user,Source computer: ,Source IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: ,MDS,Application hash: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F,Hash type: SHA2,Company name: ,Application name: eicar.com,Application version: ,Application type: 127,File size (bytes): 68,Category set: Malware,Category type: Virus
HOSTNAME,Category: 2,Symantec Endpoint Protection,Symantec Endpoint Protection has determined that the virus definitions are missing on this computer. This computer will remain unprotected from viruses until virus definitions are downloaded to this computer.
Scan ID: 1459466493,Begin: 2016-04-08 15:00:03,End: 2016-04-08 16:01:10,Completed,Duration (seconds): 3667,User1: USER,User2: USER,'Scan started on all drives and all extensions.','Scan Complete: Risks: 0 Scanned: 147450 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 14765',Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 147450,Omitted: 0,Computer: HOSTNAME,IP Address: xxx.xxx.xxx.xxx,Domain: DOMAIN,Group: GROUP,Server: SERVER
Thank you for getting back to me. When I run some of the logs against ossec-logtest I get a "Unknown problem somewhere in the system", but still nothing for the virus alerts, as well as some of the windows process protection alerts. As of now I think the most benefit would be in decoding the virus detection alerts, but I've included some other logs for example. Please see below for some additional examples:
<Hostname>,Blocked,,File Write,Begin: 2016-04-08 11:57:19,End: 2016-04-08 11:57:19,Rule: Windows processes protection | [AC19-1.1] Block writing code,2116,C:/Windows/System32/<example_exe_file>,0,No Module Name,C:/Windows/System32/<example>.dll,User: SYSTEM,Domain: DOMAIN,Action Type: ,File size (bytes): 378368,Device ID: IDE\\DiskSAMSUNG_MZ7PC128HAFU-000H1______________CXM05H1Q\\4&297f7698&0&0.0.0
Virus found,IP Address: xxx.xxx.xxx,Computer name: HOSTNAME,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:\\Users\\user\\Downloads\\eicar_com (1)\\eicar.com,'',Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2016-04-08 20:02:13,Inserted: 2016-04-08 20:02:28,End: 2016-04-08 20:02:13,Last update time: 2016-04-08 20:02:28,Domain: DOMAIN,Group: GROUP,Server: HOSTNAME,User: user,Source computer: ,Source IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: ,MDS,Application hash: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F,Hash type: SHA2,Company name: ,Application name: eicar.com,Application version: ,Application type: 127,File size (bytes): 68,Category set: Malware,Category type: Virus
HOSTNAME,Category: 2,Symantec Endpoint Protection,Symantec Endpoint Protection has determined that the virus definitions are missing on this computer. This computer will remain unprotected from viruses until virus definitions are downloaded to this computer.
Scan ID: 1459466493,Begin: 2016-04-08 15:00:03,End: 2016-04-08 16:01:10,Completed,Duration (seconds): 3667,User1: USER,User2: USER,'Scan started on all drives and all extensions.','Scan Complete: Risks: 0 Scanned: 147450 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 14765',Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 147450,Omitted: 0,Computer: HOSTNAME,IP Address: xxx.xxx.xxx.xxx,Domain: DOMAIN,Group: GROUP,Server: SERVER
Jesus Linares
Apr 11, 2016, 6:19:45 AM4/11/16
to Wazuh mailing list
Hi,
your problem is that OSSEC decoders for Symantec are not recognizing your logs. We can help, if you provide us several logs and the exact version of the symantec product that you are running.
Also, you can create some specific decoders and rules for your events, here an example:
local_decoder.xml:
<decoder name="test_symantec">
<prematch>^Virus found,IP Address: </prematch>
</decoder>local_rules.xml:
<group name="test,">
<rule id="100002" level="15">
<decoded_as>test_symantec</decoded_as>
<description>Symantec: Virus found</description>
</rule>
</group>Test:
**Phase 1: Completed pre-decoding.
full event: 'Virus found,IP Address: xxx.xxx.xxx,Computer name: <endpoint hostname>,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,<file path>\\eicar.com,'',Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2016-04-01 19:12:56,Inserted: 2016-04-01 19:14:05,End: 2016-04-01 19:12:56,Last update time: 2016-04-01 19:14:05,Domain: <DOMAIN NAME>,Group:<AV Group>,Server: <Symantec server hostname>,User: <username>,Source computer: ,Source IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: ,MDS,Application hash: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F,Hash type: SHA2,Company name: ,Application name: eicar.com,Application version: ,Application type: 127,File size (bytes): 68,Category set: Malware,Category type: Virus'
hostname: 'LinMV'
program_name: '(null)'
log: 'Virus found,IP Address: xxx.xxx.xxx,Computer name: <endpoint hostname>,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,<file path>\\eicar.com,'',Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2016-04-01 19:12:56,Inserted: 2016-04-01 19:14:05,End: 2016-04-01 19:12:56,Last update time: 2016-04-01 19:14:05,Domain: <DOMAIN NAME>,Group:<AV Group>,Server: <Symantec server hostname>,User: <username>,Source computer: ,Source IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: ,MDS,Application hash: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F,Hash type: SHA2,Company name: ,Application name: eicar.com,Application version: ,Application type: 127,File size (bytes): 68,Category set: Malware,Category type: Virus'
**Phase 2: Completed decoding.
decoder: 'test_symantec'
**Phase 3: Completed filtering (rules).
Rule id: '100002'
Level: '15'
Description: 'Symantec: Virus found'
**Alert to be generated.Regards,
Jesus Linares.
eholl...@gmail.com
Apr 22, 2016, 4:11:26 PM4/22/16
to Wazuh mailing list
Hello Jesus,
Sorry for the delay on this thread. I've been pulled away for some other projects, and I've been trying to put the pieces together on this one. I am a bit confused on how OSSEC is handling some of our Symantec logs.
Here are some details:
-When testing, I run "tail -f /var/ossec/logs/alerts/alerts.log" to see any alerts that may come in. I have copied a few Symantec web attack alerts that come in as "Unknown Problem in the system". Here is an example:
** Alert 1461073548.874159: mail - syslog,errors,
2016 Apr 19 13:45:48 SymantecServer->xxx.xxx.xxx
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
Apr 19 09:44:23 SymantecServer <SEPHOSTNAME>: <HOSTNAME>,[SID: 22819] Web Attack: Suspicious Executable Image Download attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\XXXX.EXE,Local: 10.33.53.83,Local: 000000000000,Remote: ,Remote: xxx.xxx.xxx.xxx,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2016-04-19 09:42:30,End: 2016-04-19 09:42:30,Occurrences: 1,Application: C:/WINDOWS/SYSTEM32/XXXXX.EXE,Location: <location>,User: <username<,Domain: DOMAIN,Local Port 9999,Remote Port 80,CIDS Signature ID: 22819,CIDS Signature string: Web Attack: Suspicious Executable Image Download,CIDS Signature SubID: 71958,Intrusion URL: xxxxxxx.com/SMS_DP_SMSPKG$/Content_63706732-404a-4274-89ea-5228a7d2f7fa.1/sccm?/Disk1/stage/Components/oracle.oem.client/10.2.0.3.0/1/DataFiles/Expanded/filegroup123/spl/ins_ban.gif,Intrusion Payload URL:
Now, I find what shows up under OSSEC archive within Security Onion's ELSA:
2016 Apr 19 13:45:48 SymantecServer-> xxx.xxx.xxx.xxx Apr 19 09:44:23 SymantecServer <SEPHOSTNAME>: HOSTNAME,[SID: 22819] Web Attack: Suspicious Executable Image Download attack blocked. Traffic has been blocked for this application: C:\\WINDOWS\\SYSTEM32\\XXXX.EXE,Local: 10.33.53.83,Local: 000000000000,Remote: ,Remote: xxx.xxx.xxx.xxx,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2016-04-19 09:42:30,End: 2016-04-19 09:42:30,Occurrences: 1,Application: C:/WINDOWS/SYSTEM32/SVCHOST.EXE,Location: New Internal - Worcester Only,User: pcbuild20,Domain: HANOVER,Local Port 49912,Remote Port 80,CIDS Signature ID: 22819,CIDS Signature string: Web Attack: Suspicious Executable Image Download,CIDS Signature SubID: 71958,Intrusion URL: xxxxxx.com/SMS_DP_SMSPKG$/Content_63706732-404a-4274-89ea-5228a7d2f7fa.1/sccm?/Disk1/stage/Components/oracle.oem.client/10.2.0.3.0/1/DataFiles/Expanded/filegroup123/spl/ins_ban.gif,Intrusion Payload URL:
So as you can see that there are some slight difference between the two.
When I download an eicar test file to test the virus alert I never see anything within the alerts.log file. After further investigation, I do see the following in an ossec archive query within ELSA:
2016 Apr 19 15:39:33 SymantecServer->xxx.xxx.xxx.xxx Apr 19 11:36:36 SymantecServer <SEPHOSTNAME>: Virus found,IP Address: ,Computer name: HOSTNAME,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:\\Users\\<username>\\Downloads\\eicar.com.txt,'',Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2016-04-19 15:36:10,Inserted: 2016-04-19 15:36:36,End: 2016-04-19 15:36:10,Last update time: 2016-04-19 15:36:36,Domain: <DOMAINNAME>,Group: Group,Server: <SEPSERVER>,User: user,Source computer: ,Source IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: ,MDS,Application hash: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F,Hash type: SHA2,Company name: ,Application name: eicar.com,
My concern is that what I am seeing above for the eicar file is processed by OSSEC and is not the true syslog format that is being sent, though I am unsure.
I did add in the pre-decoder into my local_decoders.xml file, and add the associated rule in my local_rules.xml file, but it did not fire. My guess is that this has something to do with not showing up in the alerts.log file, but I could use some guidance. If I need to collect more data please let me know.
Thank you!
Eric
Sorry for the delay on this thread. I've been pulled away for some other projects, and I've been trying to put the pieces together on this one. I am a bit confused on how OSSEC is handling some of our Symantec logs.
Here are some details:
-When testing, I run "tail -f /var/ossec/logs/alerts/alerts.log" to see any alerts that may come in. I have copied a few Symantec web attack alerts that come in as "Unknown Problem in the system". Here is an example:
** Alert 1461073548.874159: mail - syslog,errors,
2016 Apr 19 13:45:48 SymantecServer->xxx.xxx.xxx
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
Apr 19 09:44:23 SymantecServer <SEPHOSTNAME>: <HOSTNAME>,[SID: 22819] Web Attack: Suspicious Executable Image Download attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\XXXX.EXE,Local: 10.33.53.83,Local: 000000000000,Remote: ,Remote: xxx.xxx.xxx.xxx,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2016-04-19 09:42:30,End: 2016-04-19 09:42:30,Occurrences: 1,Application: C:/WINDOWS/SYSTEM32/XXXXX.EXE,Location: <location>,User: <username<,Domain: DOMAIN,Local Port 9999,Remote Port 80,CIDS Signature ID: 22819,CIDS Signature string: Web Attack: Suspicious Executable Image Download,CIDS Signature SubID: 71958,Intrusion URL: xxxxxxx.com/SMS_DP_SMSPKG$/Content_63706732-404a-4274-89ea-5228a7d2f7fa.1/sccm?/Disk1/stage/Components/oracle.oem.client/10.2.0.3.0/1/DataFiles/Expanded/filegroup123/spl/ins_ban.gif,Intrusion Payload URL:
Now, I find what shows up under OSSEC archive within Security Onion's ELSA:
2016 Apr 19 13:45:48 SymantecServer-> xxx.xxx.xxx.xxx Apr 19 09:44:23 SymantecServer <SEPHOSTNAME>: HOSTNAME,[SID: 22819] Web Attack: Suspicious Executable Image Download attack blocked. Traffic has been blocked for this application: C:\\WINDOWS\\SYSTEM32\\XXXX.EXE,Local: 10.33.53.83,Local: 000000000000,Remote: ,Remote: xxx.xxx.xxx.xxx,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2016-04-19 09:42:30,End: 2016-04-19 09:42:30,Occurrences: 1,Application: C:/WINDOWS/SYSTEM32/SVCHOST.EXE,Location: New Internal - Worcester Only,User: pcbuild20,Domain: HANOVER,Local Port 49912,Remote Port 80,CIDS Signature ID: 22819,CIDS Signature string: Web Attack: Suspicious Executable Image Download,CIDS Signature SubID: 71958,Intrusion URL: xxxxxx.com/SMS_DP_SMSPKG$/Content_63706732-404a-4274-89ea-5228a7d2f7fa.1/sccm?/Disk1/stage/Components/oracle.oem.client/10.2.0.3.0/1/DataFiles/Expanded/filegroup123/spl/ins_ban.gif,Intrusion Payload URL:
So as you can see that there are some slight difference between the two.
When I download an eicar test file to test the virus alert I never see anything within the alerts.log file. After further investigation, I do see the following in an ossec archive query within ELSA:
2016 Apr 19 15:39:33 SymantecServer->xxx.xxx.xxx.xxx Apr 19 11:36:36 SymantecServer <SEPHOSTNAME>: Virus found,IP Address: ,Computer name: HOSTNAME,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:\\Users\\<username>\\Downloads\\eicar.com.txt,'',Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2016-04-19 15:36:10,Inserted: 2016-04-19 15:36:36,End: 2016-04-19 15:36:10,Last update time: 2016-04-19 15:36:36,Domain: <DOMAINNAME>,Group: Group,Server: <SEPSERVER>,User: user,Source computer: ,Source IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: ,MDS,Application hash: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F,Hash type: SHA2,Company name: ,Application name: eicar.com,
My concern is that what I am seeing above for the eicar file is processed by OSSEC and is not the true syslog format that is being sent, though I am unsure.
I did add in the pre-decoder into my local_decoders.xml file, and add the associated rule in my local_rules.xml file, but it did not fire. My guess is that this has something to do with not showing up in the alerts.log file, but I could use some guidance. If I need to collect more data please let me know.
Thank you!
Eric
eholl...@gmail.com
May 19, 2016, 2:18:21 PM5/19/16
to Wazuh mailing list
Hi All,
Just wondering if there were any other tips on getting this going. Thank you in advance!
Just wondering if there were any other tips on getting this going. Thank you in advance!
Jesus Linares
May 20, 2016, 6:17:42 AM5/20/16
to Wazuh mailing list
Hi Eric,
alerts.log:
first of all, the difference between logs in archives.log and alerts.log is normal:
** Alert 1461073548.874159: mail - syslog,errors,
2016 Apr 19 13:45:48 SymantecServer->xxx.xxx.xxx
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
Apr 19 09:44:23 SymantecServer <SEPHOSTNAME>: <HOSTNAME>,[SID: 22819] Web Attack: Suspicious Executable Image Download attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\XXXX.EXE,Local: 10.33.53.83,Local: 000000000000,Remote: ,Remote: xxx.xxx.xxx.xxx,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2016-04-19 09:42:30,End: 2016-04-19 09:42:30,Occurrences: 1,Application: C:/WINDOWS/SYSTEM32/XXXXX.EXE,Location: <location>,User: <username<,Domain: DOMAIN,Local Port 9999,Remote Port 80,CIDS Signature ID: 22819,CIDS Signature string: Web Attack: Suspicious Executable Image Download,CIDS Signature SubID: 71958,Intrusion URL: xxxxxxx.com/SMS_DP_SMSPKG$/Content_63706732-404a-4274-89ea-5228a7d2f7fa.1/sccm?/Disk1/stage/Components/oracle.oem.client/10.2.0.3.0/1/DataFiles/Expanded/filegroup123/spl/ins_ban.gif,Intrusion Payload URL:
archives.log:
2016 Apr 19 13:45:48 SymantecServer-> xxx.xxx.xxx.xxx Apr 19 09:44:23 SymantecServer <SEPHOSTNAME>: HOSTNAME,[SID: 22819] Web Attack: Suspicious Executable Image Download attack blocked. Traffic has been blocked for this application: C:\\WINDOWS\\SYSTEM32\\XXXX.EXE,Local: 10.33.53.83,Local: 000000000000,Remote: ,Remote: xxx.xxx.xxx.xxx,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2016-04-19 09:42:30,End: 2016-04-19 09:42:30,Occurrences: 1,Application: C:/WINDOWS/SYSTEM32/SVCHOST.EXE,Location: New Internal - Worcester Only,User: pcbuild20,Domain: HANOVER,Local Port 49912,Remote Port 80,CIDS Signature ID: 22819,CIDS Signature string: Web Attack: Suspicious Executable Image Download,CIDS Signature SubID: 71958,Intrusion URL: xxxxxx.com/SMS_DP_SMSPKG$/Content_63706732-404a-4274-89ea-5228a7d2f7fa.1/sccm?/Disk1/stage/Components/oracle.oem.client/10.2.0.3.0/1/DataFiles/Expanded/filegroup123/spl/ins_ban.gif,Intrusion Payload URL:
The red part is a header that OSSEC writes in archives.log. The real log is what you see in blue.
Let's see what says ossec-logtest about your logs:
log 1: Apr 19 09:44:23 SymantecServer <SEPHOSTNAME>: <HOSTNAME>,[SID: 22819] Web Attack: Suspicious...
**Phase 1: Completed pre-decoding.
full event: 'Apr 19 09:44:23 SymantecServer <SEPHOSTNAME>: <HOSTNAME>,[SID: 22819] Web Attack: Suspicious...'
hostname: 'SymantecServer'
program_name: '(null)'
log: '<SEPHOSTNAME>: <HOSTNAME>,[SID: 22819] Web Attack: Suspicious...'log 2: Apr 19 11:36:36 SymantecServer <SEPHOSTNAME>: Virus found,IP Address:...
**Phase 1: Completed pre-decoding.
full event: 'Apr 19 11:36:36 SymantecServer <SEPHOSTNAME>: Virus found,IP Address:...'
hostname: 'SymantecServer'
program_name: '(null)'
log: '<SEPHOSTNAME>: Virus found,IP Address:...'As you can see, the common part is <SEPHOSTNAME>, so we can create a decoder with that prematch:
local_decoder.xml:
<decoder name="test_symantec">
<prematch>^\pSEPHOSTNAME\p</prematch>
</decoder>local_rules.xml:
<group name="test,">
<rule id="100002" level="3">
<decoded_as>test_symantec</decoded_as>
<description>Symantec messages</description>
</rule>
<rule id="100003" level="7">
<if_sid>100002</if_sid>
<match>Virus found</match>
<description>Symantec: virus found</description>
</rule>
</group>Test:
Apr 19 11:36:36 SymantecServer <SEPHOSTNAME>: Virus found,IP Address: ,Computer name: HOSTNAME,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:\\Users\\<username>\\Downloads\\eicar.com.txt,'',Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2016-04-19 15:36:10,Inserted: 2016-04-19 15:36:36,End: 2016-04-19 15:36:10,Last update time: 2016-04-19 15:36:36,Domain: <DOMAINNAME>,Group: Group,Server: <SEPSERVER>,User: user,Source computer: ,Source IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: ,MDS,Application hash: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F,Hash type: SHA2,Company name: ,Application name: eicar.com,
**Phase 1: Completed pre-decoding.
full event: 'Apr 19 11:36:36 SymantecServer <SEPHOSTNAME>: Virus found,IP Address: ,Computer name: HOSTNAME,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:\\Users\\<username>\\Downloads\\eicar.com.txt,'',Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2016-04-19 15:36:10,Inserted: 2016-04-19 15:36:36,End: 2016-04-19 15:36:10,Last update time: 2016-04-19 15:36:36,Domain: <DOMAINNAME>,Group: Group,Server: <SEPSERVER>,User: user,Source computer: ,Source IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: ,MDS,Application hash: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F,Hash type: SHA2,Company name: ,Application name: eicar.com,'
hostname: 'SymantecServer'
program_name: '(null)'
log: '<SEPHOSTNAME>: Virus found,IP Address: ,Computer name: HOSTNAME,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:\\Users\\<username>\\Downloads\\eicar.com.txt,'',Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2016-04-19 15:36:10,Inserted: 2016-04-19 15:36:36,End: 2016-04-19 15:36:10,Last update time: 2016-04-19 15:36:36,Domain: <DOMAINNAME>,Group: Group,Server: <SEPSERVER>,User: user,Source computer: ,Source IP: ,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: ,MDS,Application hash: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F,Hash type: SHA2,Company name: ,Application name: eicar.com,'
**Phase 2: Completed decoding.
decoder: 'test_symantec'
**Phase 3: Completed filtering (rules).
Rule id: '100003'
Level: '7'
Description: 'Symantec: virus found'
**Alert to be generated.We used <SEPHOSTNAME> in the decoder, but that can change, right?. So, I suggest you change your log format, for example, add a tag: "Apr 19 11:36:36 SymantecServer TAG <SEPHOSTNAME>: Virus found,IP Address:..." and use that tag in the decoder to identify symantec logs.
Regards.
eholl...@gmail.com
Jun 9, 2016, 10:37:17 AM6/9/16
to Wazuh mailing list
Thank you for the help with this. I am up and running!
Reply all
Reply to author
Forward
0 new messages