Other windows rules stop firing. #4
Comments
|
I am deploying Sysmonv3 in my test environment Thursday.. I will let you know what I find by the end of this week... |
|
Yeah I have not worked much with custom parsers/rules so may be doing something wrong but Brian Kellogg mentioned having the same issue here. https://groups.google.com/forum/#!topic/security-onion/hBmJ2q5NuaY |
|
Just an update on this issue... I am currently tweaking the ELSA & OSSEC parsers for Sysmon v3, and hope to have them done & tested within the next week or two. |
|
Sounds good let me know if I can assist in any way. |
|
I just posted the v3 decoder, as well as an updated version of the v1 decoder. Try removing the tag and see if that helps as well.... https://github.com/defensivedepth/Sysmon_OSSEC/blob/master/Sysmon_OSSEC-Decoders.xml |
|
Thanks Josh I will check it out sometime this week or next. What do you mean by "try removing the tag" |
|
Sorry, left out a word... On the v1 decoder, I removed the tag, which should not have been in there... |
|
Side note, are you running the decoder + rules in a SO distributed environment? |
|
Not currently just single SO standalone. |
Josh, Been playing with variations of this for Sysmon3 when I write my decoder similar to yours with parent and type as windows, OSSEC stops alerting on other windows events. Have you notices this type of behaviour?
The text was updated successfully, but these errors were encountered: