3 Replies Latest reply on Aug 3, 2017 4:57 PM by sssyyy

    WMI parsers question

    ksudki

      Hi,

       

      Does anyone knows the difference between WMI rule 43-263051400 and 43-263051403 ?

       

      From the information I got from here McAfee Corporate KB - Windows Event ID to Nitro Signature ID translation KB74335 the 0 and 3 are revision number and was expecting both to works, however it is not the case.

       

      If I disable the one ending by 0 and enable the one ending by 3 no "A network share object was accessed" logs are being parsed anymore. Do somebody know how can I test these rules ?

       

      Thank you in advance

       

      43-263051400

      Rule Name: A network share object was accessed

      Signature ID: 43-263051400

      Normalization Name: Directory Service Status

       

       

      Signature: INFO="Microsoft-Windows-Security-Auditing",5140,0,60;MAPPING=5,0,6,0,0,0,0,0,2, 0,0,0,3,0,7;REGEX=13,".*\\(.*)";REGEX=8,"(?i)CN=(.*?),\s*[A-Z]{2}\x3d";CF_MAPPIN G=4<src_logon_id>="Source_Logon_ID.Source_Logon_ID",1<Security_ID>="Security_ID. Security_ID";

       

       

      Description: Security 5140: A network share object was accessed. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Network Information: Source Address: %5 Source Port: %6 Share Name: %7

       

      43-263051403

      Rule Name: A network share object was accessed

      Signature ID: 43-263051403

      Normalization Name: Directory Service Status

       

       

      Signature: INFO="Microsoft-Windows-Security-Auditing",5140,3,61;MAPPING=6,0,7,0,0,0,0,0,2, 0,0,0,3,9,8;REGEX=13,".*\\(.*)";REGEX=8,"(?i)CN=(.*?),\s*[A-Z]{2}\x3d";CF_MAPPIN G=4<src_logon_id>="Source_Logon_ID.Source_Logon_ID",1<Security_ID>="Security_ID. Security_ID",5<filename>="Destination_Filename.Destination_Filename";CF_MAPPING= 11<accesses>="Access_Privileges.Access_Privileges";CF_PP=accesses,Parameter_Stri ngs,"\x25\x25(\d+)";

       

       

      Description: Security 5140: A network share object was accessed. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Network Information: Object Type: %5 Source Address: %6 Source Port: %7 Share Information: Share Name: %8 Share Path: %9 Access Request Information: Access Mask: %10 Accesses: %11

        • 1. Re: WMI parsers question
          sssyyy

          You can try copy a few raw packets out of the receiver or ESM GUI for event ID 5140, and paste it into the rule configuration editor and see if the parsers for 43-263051400 and/or 43-263051403 can match all the required fields.

          • 2. Re: WMI parsers question
            ksudki

            Hi,

             

            Thank you for your answer !

             

            Can you point me to this feature? I thought it was only possible to perform such with ASP rules.

             

            Regards

            • 3. Re: WMI parsers question
              sssyyy

              Checked, and you are right, you can't modify the rules. I knew you can't rewrite WMI parsing rules, but never thought not being able to check parsing at all.

               

              Another way is do via Windows Event Log - CEF (ASP) to collect windows events via syslog, but a syslog client is required e.g. snare.