Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Alienvault plugin
- # Author: Phillip W. Moore at phillipmoore@gmail.com
- # Plugin powershell id:9002 version: 0.0.0
- # Last modification: 2015-12-02 13:00
- #
- # Plugin Selection Info:
- # PowerShell
- #
- # END-HEADER
- # Accepted products:
- # OSSEC - OSSEC 2.8_singleline
- # OSSEC - OSSEC 2.7_singleline
- # Description:
- # <custom_alert_output>AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: "[INIT]$FULLLOG[END]"; </custom_alert_output>
- #
- #
- [DEFAULT]
- plugin_id=9002
- [config]
- type=detector
- enable=yes
- pre_match="^AV\s-\sAlert\s-\s\"\d+\"\s-->\sRID:\s\"(?P<key>\d+)\".*"
- source=log
- location=/var/ossec/logs/alerts/alerts.log
- create_file=false
- process=ossec-logcollector
- start=yes ; launch plugin process when agent starts
- stop=yes ; shutdown plugin process when agent stops
- restart=no ; restart plugin process after each interval
- restart_interval=_CFG(watchdog,restart_interval) ; interval between each restart
- startup=/etc/init.d/ossec start
- shutdown=/etc/init.d/ossec stop
- [translation]
- 100210=9002
- 100211=9002
- 100212=9002
- 100213=9002
- 100214=9002
- 100215=9002
- 100216=9002
- 100217=9002
- 100218=9002
- ######################################################
- # WINDOWS EVENTS
- ######################################################
- #
- # Windows Information Event <status>^INFORMATION</status>
- # OSSEC rule disabled by default (level 2)
- # [100213 - PowerShell Script Started (500)]
- # [100214 - PowerShell Script Stopped (501)]
- # [100215 - PowerShell Command Started (500)]
- # [100216 - PowerShell Command Stopped (501)]
- # [100217 - PowerShell Function Started (500)]
- # [100218 - PowerShell Function Stopped (501)]
- #
- [100213 - PowerShell Script Started (500)]
- event_type=event
- #precheck="INFORMATION"
- regexp="^AV\s+\-\sAlert\s+\-\s\"(?P<date>\d+)\"\s\-\->\sRID\:\s\"(?P<rule_id>\d+)\"\;\s+RL\:\s+\"(?P<rule_level>\d+)\"\;\s+RG\:\s+\"(?P<rule_group>[^\"]*)\"\;\s+RC\:\s+\"(?P<rule_comment>[^\"]*)\";.*?HOSTNAME\:[^\)]*\)\s(?P<winip>\S+)->.*?INFORMATION\((?P<winevent_id>\d+)\)\:.*NewCommandState=(?P<cmd_state>[^=]*) SequenceNumber=(?P<seq_num>[^=]*) HostName.*CommandName=(?P<cmd_name>[^=]*) CommandType=(?P<cmd_type>[^=]*) ScriptName=(?P<script_name>[^=]*) CommandPath=(?P<cmd_path>[^=]*) CommandLine=(?P<cmd_line>[^=]*)\[END\]\"\;"
- date={normalize_date($date)}
- #plugin_id={translate($rule_id)}
- plugin_sid={$rule_id}
- device={resolv($winip)}
- src_ip={resolv($winip)}
- dst_ip={resolv($winip)}
- userdata1={$rule_level}
- userdata2={$winevent_id}
- userdata3={$cmd_state}
- userdata4={$seq_num}
- userdata5={$cmd_name}
- userdata6={$cmd_type}
- userdata7={$script_name}
- userdata8={$cmd_path}
- userdata9={$cmd_line}
- [100214 - PowerShell Script Stopped (501)]
- event_type=event
- #precheck="INFORMATION"
- regexp="^AV\s+\-\sAlert\s+\-\s\"(?P<date>\d+)\"\s\-\->\sRID\:\s\"(?P<rule_id>\d+)\"\;\s+RL\:\s+\"(?P<rule_level>\d+)\"\;\s+RG\:\s+\"(?P<rule_group>[^\"]*)\"\;\s+RC\:\s+\"(?P<rule_comment>[^\"]*)\";.*?HOSTNAME\:[^\)]*\)\s(?P<winip>\S+)->.*?INFORMATION\((?P<winevent_id>\d+)\)\:.*NewCommandState=(?P<cmd_state>[^=]*) SequenceNumber=(?P<seq_num>[^=]*) HostName.*CommandName=(?P<cmd_name>[^=]*) CommandType=(?P<cmd_type>[^=]*) ScriptName=(?P<script_name>[^=]*) CommandPath=(?P<cmd_path>[^=]*) CommandLine=(?P<cmd_line>[^=]*)\[END\]\"\;"
- date={normalize_date($date)}
- #plugin_id={translate($rule_id)}
- plugin_sid={$rule_id}
- device={resolv($winip)}
- src_ip={resolv($winip)}
- dst_ip={resolv($winip)}
- userdata1={$rule_level}
- userdata2={$winevent_id}
- userdata3={$cmd_state}
- userdata4={$seq_num}
- userdata5={$cmd_name}
- userdata6={$cmd_type}
- userdata7={$script_name}
- userdata8={$cmd_path}
- userdata9={$cmd_line}
- [100215 - PowerShell Command Started (500)]
- event_type=event
- #precheck="INFORMATION"
- regexp="^AV\s+\-\sAlert\s+\-\s\"(?P<date>\d+)\"\s\-\->\sRID\:\s\"(?P<rule_id>\d+)\"\;\s+RL\:\s+\"(?P<rule_level>\d+)\"\;\s+RG\:\s+\"(?P<rule_group>[^\"]*)\"\;\s+RC\:\s+\"(?P<rule_comment>[^\"]*)\";.*?HOSTNAME\:[^\)]*\)\s(?P<winip>\S+)->.*?INFORMATION\((?P<winevent_id>\d+)\)\:.*NewCommandState=(?P<cmd_state>[^=]*) SequenceNumber=(?P<seq_num>[^=]*) HostName.*CommandName=(?P<cmd_name>[^=]*) CommandType=(?P<cmd_type>[^=]*) ScriptName=(?P<script_name>[^=]*) CommandPath=(?P<cmd_path>[^=]*) CommandLine=(?P<cmd_line>[^=]*)\[END\]\"\;"
- date={normalize_date($date)}
- #plugin_id={translate($rule_id)}
- plugin_sid={$rule_id}
- device={resolv($winip)}
- src_ip={resolv($winip)}
- dst_ip={resolv($winip)}
- userdata1={$rule_level}
- userdata2={$winevent_id}
- userdata3={$cmd_state}
- userdata4={$seq_num}
- userdata5={$cmd_name}
- userdata6={$cmd_type}
- userdata7={$script_name}
- userdata8={$cmd_path}
- userdata9={$cmd_line}
- [100216 - PowerShell Command Stopped (501)]
- event_type=event
- #precheck="INFORMATION"
- regexp="^AV\s+\-\sAlert\s+\-\s\"(?P<date>\d+)\"\s\-\->\sRID\:\s\"(?P<rule_id>\d+)\"\;\s+RL\:\s+\"(?P<rule_level>\d+)\"\;\s+RG\:\s+\"(?P<rule_group>[^\"]*)\"\;\s+RC\:\s+\"(?P<rule_comment>[^\"]*)\";.*?HOSTNAME\:[^\)]*\)\s(?P<winip>\S+)->.*?INFORMATION\((?P<winevent_id>\d+)\)\:.*NewCommandState=(?P<cmd_state>[^=]*) SequenceNumber=(?P<seq_num>[^=]*) HostName.*CommandName=(?P<cmd_name>[^=]*) CommandType=(?P<cmd_type>[^=]*) ScriptName=(?P<script_name>[^=]*) CommandPath=(?P<cmd_path>[^=]*) CommandLine=(?P<cmd_line>[^=]*)\[END\]\"\;"
- date={normalize_date($date)}
- #plugin_id={translate($rule_id)}
- plugin_sid={$rule_id}
- device={resolv($winip)}
- src_ip={resolv($winip)}
- dst_ip={resolv($winip)}
- userdata1={$rule_level}
- userdata2={$winevent_id}
- userdata3={$cmd_state}
- userdata4={$seq_num}
- userdata5={$cmd_name}
- userdata6={$cmd_type}
- userdata7={$script_name}
- userdata8={$cmd_path}
- userdata9={$cmd_line}
- [100217 - PowerShell Function Started (500)]
- event_type=event
- #precheck="INFORMATION"
- regexp="^AV\s+\-\sAlert\s+\-\s\"(?P<date>\d+)\"\s\-\->\sRID\:\s\"(?P<rule_id>\d+)\"\;\s+RL\:\s+\"(?P<rule_level>\d+)\"\;\s+RG\:\s+\"(?P<rule_group>[^\"]*)\"\;\s+RC\:\s+\"(?P<rule_comment>[^\"]*)\";.*?HOSTNAME\:[^\)]*\)\s(?P<winip>\S+)->.*?INFORMATION\((?P<winevent_id>\d+)\)\:.*NewCommandState=(?P<cmd_state>[^=]*) SequenceNumber=(?P<seq_num>[^=]*) HostName.*CommandName=(?P<cmd_name>[^=]*) CommandType=(?P<cmd_type>[^=]*) ScriptName=(?P<script_name>[^=]*) CommandPath=(?P<cmd_path>[^=]*) CommandLine=(?P<cmd_line>[^=]*)\[END\]\"\;"
- date={normalize_date($date)}
- #plugin_id={translate($rule_id)}
- plugin_sid={$rule_id}
- device={resolv($winip)}
- src_ip={resolv($winip)}
- dst_ip={resolv($winip)}
- userdata1={$rule_level}
- userdata2={$winevent_id}
- userdata3={$cmd_state}
- userdata4={$seq_num}
- userdata5={$cmd_name}
- userdata6={$cmd_type}
- userdata7={$script_name}
- userdata8={$cmd_path}
- userdata9={$cmd_line}
- [100218 - PowerShell Function Stopped (501)]
- event_type=event
- #precheck="INFORMATION"
- regexp="^AV\s+\-\sAlert\s+\-\s\"(?P<date>\d+)\"\s\-\->\sRID\:\s\"(?P<rule_id>\d+)\"\;\s+RL\:\s+\"(?P<rule_level>\d+)\"\;\s+RG\:\s+\"(?P<rule_group>[^\"]*)\"\;\s+RC\:\s+\"(?P<rule_comment>[^\"]*)\";.*?HOSTNAME\:[^\)]*\)\s(?P<winip>\S+)->.*?INFORMATION\((?P<winevent_id>\d+)\)\:.*NewCommandState=(?P<cmd_state>[^=]*) SequenceNumber=(?P<seq_num>[^=]*) HostName.*CommandName=(?P<cmd_name>[^=]*) CommandType=(?P<cmd_type>[^=]*) ScriptName=(?P<script_name>[^=]*) CommandPath=(?P<cmd_path>[^=]*) CommandLine=(?P<cmd_line>[^=]*)\[END\]\"\;"
- date={normalize_date($date)}
- #plugin_id={translate($rule_id)}
- plugin_sid={$rule_id}
- device={resolv($winip)}
- src_ip={resolv($winip)}
- dst_ip={resolv($winip)}
- userdata1={$rule_level}
- userdata2={$winevent_id}
- userdata3={$cmd_state}
- userdata4={$seq_num}
- userdata5={$cmd_name}
- userdata6={$cmd_type}
- userdata7={$script_name}
- userdata8={$cmd_path}
- userdata9={$cmd_line}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement