Help: Custom Rule, Decoder, Testing Approach

[senrabdet]

Hi all, am hoping someone can give me an example of one "known good" simple custom rule and decoder for any kind of common Windows event.

I have been trying/failing to figure out how to get any kind of custom rule to work for Windows clients running the ossec windows agent. I have an Ubuntu server dedicated to running OSSEC server side, and a number of Windows clients. Happy to provide configs but was hoping to get simple "known good" examples of a custom rule and decoder aimed at a common windows event to test with, and if those don't work, follow up with configs, logs etc.

Things are working to some degree, in that I get log in/log off alerts from the windows clients that show up in my ossec server's archive.log, its alerts.log, and then my email (e.g., "Rule: 18107 fired (level 3) -> "Windows Logon Success."). But any attempt at a customer rule? Nada. And other rules xml files that come with ossec don't seem to fire whether they be linux oriented rules or windows oriented (or both). I haven't been able to tell what might be appreciably different with the msauth rules vs. other ones...

E.g., the server install/setup provided a number of "canned" rulesets, most of them seem aimed at Linux and a few Windows specific (which is fine). As best I can tell, I'm only receiving alerts from the "msauth_rules.xml" ruleset in /var/ossec/rules/msauth.xml (I've got my alerts level on the server at 1). There are other canned rulesets in that directory don't seem to work, including some for "microsoft security essentials" (which got replaced by Defender some years ago) that don't seem to do any thing at least in sending me alerts or populating archive.log. The various rule xml files seem to be registered in my ossec.conf on the server appropriately in the "included" section.

Am trying and failing to get any kind of custom rule & decoder to work....the trouble here is compounded by after trying various things, nothing shows up in the /var/ossec/logs/archives/archives.log, so the logtest tool isn't helpful. The custom ones I've tried work in as much as the ossec server starts w/o errors but then past that no joy.

FYI there are a number of windows events in archives.log (e.g., a fragment: any->WinEvtLog 2023 Aug 22 10:50:40 WinEvtLog: System: INFORMATION(19): Microsoft-Windows-WindowsUpdateClient: SYSTEM: NT AUTHORITY:). My understanding is this isn't from a rule but something else canned in ossec. May be wrong...

So if I could get one simple custom rule, custom decoder for that rule (I've found rules/decoders on the net but am hoping to get a "known good" here), I'll see if they work/fail and report back. FYI my attempts at a custom rule has been in /var/ossec/rules/local_rules.xml and /var/ossec/etc/local_decoder.xml: neither file was there after my initial install on the server, so I added both of those files and adjusted permissions and chown stuff so they look like other xml's already there.

Thx!

[jerkybuyer]

Hi all, am hoping someone can give me an example of one "known good" simple custom rule and decoder for any kind of common Windows event.

I have been trying/failing to figure out how to get any kind of custom rule to work for Windows clients running the ossec windows agent. I have an Ubuntu server dedicated to running OSSEC server side, and a number of Windows clients. Happy to provide configs but was hoping to get simple "known good" examples of a custom rule and decoder aimed at a common windows event to test with, and if those don't work, follow up with configs, logs etc.

Things are working to some degree, in that I get log in/log off alerts from the windows clients that show up in my ossec server's archive.log, its alerts.log, and then my email (e.g., "Rule: 18107 fired (level 3) -> "Windows Logon Success basket random"). But any attempt at a customer rule? Nada. And other rules xml files that come with ossec don't seem to fire whether they be linux oriented rules or windows oriented (or both). I haven't been able to tell what might be appreciably different with the msauth rules vs. other ones...

Thx!

Hope someone can explain in more detail. I'm attempting to get a custom rule and decoder to function, but I'm not getting far with it. To make matters worse, I've tried a lot of different things.