Bug in sysmon event ID 3 decoder + fix.
234 views
Skip to first unread message
InfoSec
Apr 29, 2018, 10:58:49 AM4/29/18
to Wazuh mailing list
SysMon event ID 3 decoder fails in case the SourcePortName has a value, and works fine if SourcePortName empty.
The following sample event taken "as is" from the decoder decodes as expected:
2015 Nov 19 20:33:25 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(3): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Network connection detected: UtcTime: 2015-11-19 19:33:23.824 ProcessGuid: {0B364D7C-23F6-564E-0000-00100D5A1100} ProcessId: 2028 Image: C:\Program Files (x86)\Internet Explorer\iexplore.exe User: WIN-K3UD9R5LCEL\Administrator Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.2.201 SourceHostname: WIN-K3UD9R5LCEL.LinDomain SourcePort: 49192 SourcePortName: DestinationIsIpv6: false DestinationIp: XXX.58.XXX.206 DestinationHostname: webdest DestinationPort: 443 DestinationPortName: https
But if it has a source port name (faked below with a source port name of whatever) the decoder fails:
2015 Nov 19 20:33:25 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(3): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: WIN-K3UD9R5LCEL: Network connection detected: UtcTime: 2015-11-19 19:33:23.824 ProcessGuid: {0B364D7C-23F6-564E-0000-00100D5A1100} ProcessId: 2028 Image: C:\Program Files (x86)\Internet Explorer\iexplore.exe User: WIN-K3UD9R5LCEL\Administrator Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.2.201 SourceHostname: WIN-K3UD9R5LCEL.LinDomain SourcePort: 49192 SourcePortName: whatever DestinationIsIpv6: false DestinationIp: XXX.58.XXX.206 DestinationHostname: webdest DestinationPort: 443 DestinationPortName: https
Fix:
Change: SourcePortName:\.+DestinationIsIpv6:
To.........: SourcePortName: \.*\s+DestinationIsIpv6: or better
To.........: SourcePortName: (\.*)\s+DestinationIsIpv6: which would extract the SourcePortName if it is not blank, in this case add the SrcPortName in the proper order,
and to be consistent extract the DestinationPortName after the destination port:
Replace: DestinationPort: (\S*)</regex>
With......: DestinationPort: (\S*)\s+DstPortName:\s(\S*)</regex>
Results:
**Phase 2: Completed decoding.
decoder: 'windows'
id: '3'
PGuid: '{0B364D7C-23F6-564E-0000-00100D5A1100}'
PID: '2028'
Process: 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
domain: 'WIN-K3UD9R5LCEL'
subject: 'Administrator'
protocol: 'tcp'
Init: 'true'
SrcIsIpv6: 'false'
srcip: '192.168.2.201'
SrcHost: 'WIN-K3UD9R5LCEL.LinDomain'
srcport: '49192'
SPort: ''
DstIsIpv6: 'false'
dst_ip: 'XXX.58.XXX.206'
DstHost: 'webdest'
dstport: '443'
DPort: 'https'**Phase 2: Completed decoding.
decoder: 'windows'
id: '3'
PGuid: '{0B364D7C-23F6-564E-0000-00100D5A1100}'
PID: '2028'
Process: 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
domain: 'WIN-K3UD9R5LCEL'
subject: 'Administrator'
protocol: 'tcp'
Init: 'true'
SrcIsIpv6: 'false'
srcip: '192.168.2.201'
SrcHost: 'WIN-K3UD9R5LCEL.LinDomain'
srcport: '49192'
SPort: 'whatever'
DstIsIpv6: 'false'
dstip: 'XXX.58.XXX.206'
DstHost: 'webdest'
dstport: '443'
DPort: 'https'
francisco...@wazuh.com
Apr 30, 2018, 5:51:31 AM4/30/18
to Wazuh mailing list
Hello,
thank you very much for the catch.
We've opened a PR in the ruleset repository: https://github.com/wazuh/wazuh-ruleset/pull/127
Thanks for helping us to improve Wazuh,
Best regards,
Fran G.
Reply all
Reply to author
Forward
0 new messages