cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 5

WMI parsers question

Jump to solution

Hi,

Does anyone knows the difference between WMI rule 43-263051400 and 43-263051403 ?

From the information I got from here McAfee Corporate KB - Windows Event ID to Nitro Signature ID translation KB74335 the 0 and 3 are revision number and was expecting both to works, however it is not the case.

If I disable the one ending by 0 and enable the one ending by 3 no "A network share object was accessed" logs are being parsed anymore. Do somebody know how can I test these rules ?

Thank you in advance

43-263051400

Rule Name: A network share object was accessed

Signature ID: 43-263051400

Normalization Name: Directory Service Status

Signature: INFO="Microsoft-Windows-Security-Auditing",5140,0,60;MAPPING=5,0,6,0,0,0,0,0,2,0,0,0,3,0,7;REGEX=13,".*\\(.*)";REGEX=8,"(?i)CN=(.*?),\s*[A-Z]{2}\x3d";CF_MAPPING=4<src_logon_id>="Source_Logon_ID.Source_Logon_ID",1<Security_ID>="Security_ID.Security_ID";

Description: Security 5140: A network share object was accessed. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Network Information: Source Address: %5 Source Port: %6 Share Name: %7

43-263051403

Rule Name: A network share object was accessed

Signature ID: 43-263051403

Normalization Name: Directory Service Status

Signature: INFO="Microsoft-Windows-Security-Auditing",5140,3,61;MAPPING=6,0,7,0,0,0,0,0,2,0,0,0,3,9,8;REGEX=13,".*\\(.*)";REGEX=8,"(?i)CN=(.*?),\s*[A-Z]{2}\x3d";CF_MAPPING=4<src_logon_id>="Source_Logon_ID.Source_Logon_ID",1<Security_ID>="Security_ID.Security_ID",5<filename>="Destination_Filename.Destination_Filename";CF_MAPPING=11<accesses>="Access_Privileges.Access_Privileges";CF_PP=accesses,Parameter_Strings,"\x25\x25(\d+)";

Description: Security 5140: A network share object was accessed. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Network Information: Object Type: %5 Source Address: %6 Source Port: %7 Share Information: Share Name: %8 Share Path: %9 Access Request Information: Access Mask: %10 Accesses: %11

1 Solution

Accepted Solutions
Former Member
Not applicable
Report Inappropriate Content
Message 5 of 5

Re: WMI parsers question

Jump to solution

There is no actual way to test these rules.

Apparently the revision number is often related to version of Windows as the logs change between some versions.

I will submit a PER to retrieve more information from these logs (typically the sharename would be nice no?)

View solution in original post

4 Replies
sssyyy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 5

Re: WMI parsers question

Jump to solution

You can try copy a few raw packets out of the receiver or ESM GUI for event ID 5140, and paste it into the rule configuration editor and see if the parsers for 43-263051400 and/or 43-263051403 can match all the required fields.

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 5

Re: WMI parsers question

Jump to solution

Hi,

Thank you for your answer !

Can you point me to this feature? I thought it was only possible to perform such with ASP rules.

Regards

sssyyy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: WMI parsers question

Jump to solution

Checked, and you are right, you can't modify the rules. I knew you can't rewrite WMI parsing rules, but never thought not being able to check parsing at all.

Another way is do via Windows Event Log - CEF (ASP) to collect windows events via syslog, but a syslog client is required e.g. snare.

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 5

Re: WMI parsers question

Jump to solution

There is no actual way to test these rules.

Apparently the revision number is often related to version of Windows as the logs change between some versions.

I will submit a PER to retrieve more information from these logs (typically the sharename would be nice no?)

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community