Discussion:
[ossec-list] Extending the windows decoder
Nico MT
2017-09-22 07:49:51 UTC
Permalink
Hi all,

I've been trying to create a decoder for the new version of TrendMicro,
which is not supported by OSSEC or by Wazuh yet. The sample event I want to
decode is like this:

2017 Sep 20 16:12:10 WinEvtLog: Application: WARNING(500): Trend Micro
OfficeScan Server: SYSTEM: NT AUTHORITY: server.fqdn.com: Virus/Malware:
TROJ_GEN.R0EBC0ED616 Computer: HOSTNAME Domain: Default\ File:
C:\Path\to\malicious\file.exe (file.exe) Date/Time: 20/09/2017 16:11:11
Result: Virus successfully detected, cannot perform the Clean action
(Quarantine)

If I start testing this event at the logtest tool, I get this output:

**Phase 1: Completed pre-decoding.
full event: '2017 Sep 20 16:12:10 WinEvtLog: Application:
WARNING(500): Trend Micro OfficeScan Server: SYSTEM: NT AUTHORITY:
server.fqdn.com: Virus/Malware: TROJ_GEN.R0EBC0ED616 Computer: HOSTNAME
Domain: Default\ File: C:\Path\to\malicious\file.exe (file.exe)
Date/Time: 20/09/2017 16:11:11 Result: Virus successfully detected, cannot
perform the Clean action (Quarantine)'
hostname: 'srvlossec01'
program_name: 'WinEvtLog'
log: 'Application: WARNING(500): Trend Micro OfficeScan Server:
SYSTEM: NT AUTHORITY: server.fqdn.com: Virus/Malware: TROJ_GEN.R0EBC0ED616
Computer: HOSTNAME Domain: Default\ File: C:\Path\to\malicious\file.exe
(file.exe) Date/Time: 20/09/2017 16:11:11 Result: Virus successfully
detected, cannot perform the Clean action (Quarantine)'

**Phase 2: Completed decoding.
decoder: 'windows'
type: 'Application'
status: 'WARNING'
id: '500'
extra_data: 'Trend Micro OfficeScan Server'
dstuser: 'SYSTEM'
system_name: 'server.fqdn.com'

**Rule debugging:
Trying rule: 6 - Generic template for all windows rules.
*Rule 6 matched.
*Trying child rules.
Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
Trying rule: 18100 - Group of windows rules.
*Rule 18100 matched.
*Trying child rules.
Trying rule: 18101 - Windows informational event.
Trying rule: 18102 - Windows warning event.
*Rule 18102 matched.
*Trying child rules.
Trying rule: 7500 - Grouping of McAfee Windows AV rules.
Trying rule: 7701 - Grouping of Microsoft Security Essentials rules.
Trying rule: 18155 - Multiple Windows warning events.
Trying rule: 18141 - Unexpected Windows shutdown.
Trying rule: 18125 - Windows: Remote access login failure.
Trying rule: 18258 - Windows: TS Gateway login failure.

**Phase 3: Completed filtering (rules).
Rule id: '18102'
Level: '0'
Description: 'Windows warning event.'

When I try to add my first decoder, which I deduce it needs to inherit data
from the windows decoder, any of my data gets extracted. Here's the decoder
I've generated:

<decoder name="TrendMicro_fields">
<parent>windows</parent>
<type>windows</type>
<prematch>Application: \S+\(500\): Trend Micro OfficeScan
Server:</prematch>
<regex>Application: \S+\(\d+\): Trend Micro OfficeScan Server: SYSTEM: NT
AUTHORITY: \S+:\s*Virus/Malware: (\S+)\t*\s*Computer: (\S+)</regex>
<order>virus,victimhost</order>
</decoder>

But if I add my decoder inside the windows decoders file
(/var/ossec/ruleset/decoders/0380-windows_decoders.xml), the event get's
decoded as I want:

**Phase 2: Completed decoding.
decoder: 'windows'
type: 'Application'
status: 'WARNING'
id: '500'
extra_data: 'Trend Micro OfficeScan Server'
dstuser: 'SYSTEM'
system_name: 'server.fqdn.com'
virus: 'TROJ_GEN.R0EBC0ED616'
victimhost: 'HOSTNAME'

The only requirement for my decoder to work is to place it before this rule:

...
-->

<!-- Here, my rule works -->

<decoder name="windows_fields">
<type>windows</type>
<parent>windows</parent>
<regex>Source Network Address:\t*\s*(\S+.\S+.\S+.\S+)|Source Network
Address:\t*\s*(\S*:\S*:\S*:\S*:\S*:\S*:\S*:\S*)|[CLIENT: (\S+\d)]</regex>
<order>srcip</order>
</decoder>

<!-- Here, my rule does not work -->

<!-- Windows generic END -->
...

I've observed that this decoder stops working if I place my decoder before
it, so I don't want to modify my decoder set like that, as I'd lose part of
the default OSSEC functionality.

Anyone knows how to solve my problem or how to get more accurate
information to help me achieve the solution?

Thanks in advance for your help.

Nico.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dan (ddp)
2017-09-27 13:37:41 UTC
Permalink
Post by Nico MT
Hi all,
I've been trying to create a decoder for the new version of TrendMicro,
which is not supported by OSSEC or by Wazuh yet. The sample event I want to
2017 Sep 20 16:12:10 WinEvtLog: Application: WARNING(500): Trend Micro
C:\Path\to\malicious\file.exe (file.exe) Date/Time: 20/09/2017 16:11:11
Result: Virus successfully detected, cannot perform the Clean action
(Quarantine)
**Phase 1: Completed pre-decoding.
server.fqdn.com: Virus/Malware: TROJ_GEN.R0EBC0ED616 Computer: HOSTNAME
20/09/2017 16:11:11 Result: Virus successfully detected, cannot perform the
Clean action (Quarantine)'
hostname: 'srvlossec01'
program_name: 'WinEvtLog'
SYSTEM: NT AUTHORITY: server.fqdn.com: Virus/Malware: TROJ_GEN.R0EBC0ED616
Computer: HOSTNAME Domain: Default\ File: C:\Path\to\malicious\file.exe
(file.exe) Date/Time: 20/09/2017 16:11:11 Result: Virus successfully
detected, cannot perform the Clean action (Quarantine)'
**Phase 2: Completed decoding.
decoder: 'windows'
type: 'Application'
status: 'WARNING'
id: '500'
extra_data: 'Trend Micro OfficeScan Server'
dstuser: 'SYSTEM'
system_name: 'server.fqdn.com'
Trying rule: 6 - Generic template for all windows rules.
*Rule 6 matched.
*Trying child rules.
Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
Trying rule: 18100 - Group of windows rules.
*Rule 18100 matched.
*Trying child rules.
Trying rule: 18101 - Windows informational event.
Trying rule: 18102 - Windows warning event.
*Rule 18102 matched.
*Trying child rules.
Trying rule: 7500 - Grouping of McAfee Windows AV rules.
Trying rule: 7701 - Grouping of Microsoft Security Essentials rules.
Trying rule: 18155 - Multiple Windows warning events.
Trying rule: 18141 - Unexpected Windows shutdown.
Trying rule: 18125 - Windows: Remote access login failure.
Trying rule: 18258 - Windows: TS Gateway login failure.
**Phase 3: Completed filtering (rules).
Rule id: '18102'
Level: '0'
Description: 'Windows warning event.'
When I try to add my first decoder, which I deduce it needs to inherit data
from the windows decoder, any of my data gets extracted. Here's the decoder
<decoder name="TrendMicro_fields">
<parent>windows</parent>
<type>windows</type>
<prematch>Application: \S+\(500\): Trend Micro OfficeScan
Server:</prematch>
<regex>Application: \S+\(\d+\): Trend Micro OfficeScan Server: SYSTEM: NT
AUTHORITY: \S+:\s*Virus/Malware: (\S+)\t*\s*Computer: (\S+)</regex>
<order>virus,victimhost</order>
</decoder>
But if I add my decoder inside the windows decoders file
(/var/ossec/ruleset/decoders/0380-windows_decoders.xml), the event get's
**Phase 2: Completed decoding.
decoder: 'windows'
type: 'Application'
status: 'WARNING'
id: '500'
extra_data: 'Trend Micro OfficeScan Server'
dstuser: 'SYSTEM'
system_name: 'server.fqdn.com'
virus: 'TROJ_GEN.R0EBC0ED616'
victimhost: 'HOSTNAME'
...
-->
<!-- Here, my rule works -->
<decoder name="windows_fields">
<type>windows</type>
<parent>windows</parent>
<regex>Source Network Address:\t*\s*(\S+.\S+.\S+.\S+)|Source Network
Address:\t*\s*(\S*:\S*:\S*:\S*:\S*:\S*:\S*:\S*)|[CLIENT: (\S+\d)]</regex>
<order>srcip</order>
</decoder>
<!-- Here, my rule does not work -->
<!-- Windows generic END -->
...
I've observed that this decoder stops working if I place my decoder before
it, so I don't want to modify my decoder set like that, as I'd lose part of
the default OSSEC functionality.
Anyone knows how to solve my problem or how to get more accurate information
to help me achieve the solution?
I tried adding this to local_decoders:
<decoder name="windows1">
<parent>windows</parent>
<type>windows</type>
<regex>Application: \S+\(\d+\): Trend Micro OfficeScan Server:
SYSTEM: NT AUTHORITY: \S+:\s*Virus/Malware: (\S+)\t*\s*Computer:
(\S+)</regex>
<order>extra_data,dstip</order>
</decoder>

It seems to work, but I can't test it thoroughly right now.
Post by Nico MT
Thanks in advance for your help.
Nico.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...