ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.52k stars 1.04k forks source link

Custom Rules #2095

Open senrabdet opened 1 year ago

senrabdet commented 1 year ago

Hi All, not sure this is the right place to post this, but for some time have been (on and off) trying to get various rules to work in Ossec, both custom and some of the canned. E.g., for windows there is a set of rules on my debian server for windows defender (windows security essentials) in /var/ossec/rules//ms-se_rules.xml. As best I can tell, these aren't getting used/fired. I've tried to add a custom decoder to work with them (wasn't sure that was even needed). To test this, I cause a fake Eicar virus alert on a windows test machine. On that windows machine, defender detects the virus, cleans it, and creates events in the event log under the "Microsoft-Windows-Windows Defender/Operationa" channel. However, the event does not seem to show up in my archives.log (nor the alerts.log) though I am getting various alerts in the archives.log for authentication types of events with the alerts part of ossec.conf set to 1. Am assuming this is all "user knowledge" types of problems, though the bing AI tool suggested that these security essentials (a tool retired some years go/changed to Windows Defender) rules no longer work though in looking at them the rules content in the xml file would seem to still apply to defender which is (my understanding) the current offspring of the older security essentials. I can provide logs and config etc (I've not gotten the log test to help yet), though am initially wondering if help is available and what might be helpful to lookin in, share etc? Hoping for some gentle help...Thx.

wolle604 commented 1 year ago

Hey, please provide an example of the tag from your Windows Agent config.