4 Replies Latest reply on Aug 28, 2017 9:01 AM by ksudki

    WMI parsers question

    ksudki

      Hi,

       

      Does anyone knows the difference between WMI rule 43-263051400 and 43-263051403 ?

       

      From the information I got from here McAfee Corporate KB - Windows Event ID to Nitro Signature ID translation KB74335 the 0 and 3 are revision number and was expecting both to works, however it is not the case.

       

      If I disable the one ending by 0 and enable the one ending by 3 no "A network share object was accessed" logs are being parsed anymore. Do somebody know how can I test these rules ?

       

      Thank you in advance

       

      43-263051400

      Rule Name: A network share object was accessed

      Signature ID: 43-263051400

      Normalization Name: Directory Service Status

       

       

      Signature: INFO="Microsoft-Windows-Security-Auditing",5140,0,60;MAPPING=5,0,6,0,0,0,0,0,2, 0,0,0,3,0,7;REGEX=13,".*\\(.*)";REGEX=8,"(?i)CN=(.*?),\s*[A-Z]{2}\x3d";CF_MAPPIN G=4<src_logon_id>="Source_Logon_ID.Source_Logon_ID",1<Security_ID>="Security_ID. Security_ID";

       

       

      Description: Security 5140: A network share object was accessed. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Network Information: Source Address: %5 Source Port: %6 Share Name: %7

       

      43-263051403

      Rule Name: A network share object was accessed

      Signature ID: 43-263051403

      Normalization Name: Directory Service Status

       

       

      Signature: INFO="Microsoft-Windows-Security-Auditing",5140,3,61;MAPPING=6,0,7,0,0,0,0,0,2, 0,0,0,3,9,8;REGEX=13,".*\\(.*)";REGEX=8,"(?i)CN=(.*?),\s*[A-Z]{2}\x3d";CF_MAPPIN G=4<src_logon_id>="Source_Logon_ID.Source_Logon_ID",1<Security_ID>="Security_ID. Security_ID",5<filename>="Destination_Filename.Destination_Filename";CF_MAPPING= 11<accesses>="Access_Privileges.Access_Privileges";CF_PP=accesses,Parameter_Stri ngs,"\x25\x25(\d+)";

       

       

      Description: Security 5140: A network share object was accessed. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Network Information: Object Type: %5 Source Address: %6 Source Port: %7 Share Information: Share Name: %8 Share Path: %9 Access Request Information: Access Mask: %10 Accesses: %11

        • 1. Re: WMI parsers question
          sssyyy

          You can try copy a few raw packets out of the receiver or ESM GUI for event ID 5140, and paste it into the rule configuration editor and see if the parsers for 43-263051400 and/or 43-263051403 can match all the required fields.

          • 2. Re: WMI parsers question
            ksudki

            Hi,

             

            Thank you for your answer !

             

            Can you point me to this feature? I thought it was only possible to perform such with ASP rules.

             

            Regards

            • 3. Re: WMI parsers question
              sssyyy

              Checked, and you are right, you can't modify the rules. I knew you can't rewrite WMI parsing rules, but never thought not being able to check parsing at all.

               

              Another way is do via Windows Event Log - CEF (ASP) to collect windows events via syslog, but a syslog client is required e.g. snare.

              • 4. Re: WMI parsers question
                ksudki

                There is no actual way to test these rules.

                 

                Apparently the revision number is often related to version of Windows as the logs change between some versions.

                 

                I will submit a PER to retrieve more information from these logs (typically the sharename would be nice no?)