Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix active response decoders #179

Merged
merged 1 commit into from
Aug 29, 2018
Merged

Fix active response decoders #179

merged 1 commit into from
Aug 29, 2018

Conversation

frgv
Copy link
Contributor

@frgv frgv commented Aug 28, 2018

Adds compatibility with default netsh.cmd script.

08/28/2018 09:25 "active-response/bin/netsh.cmd" delete "-" "1.2.3.4" "1535465731.23945822 18258 (some-hostname) any->WinEvtLog (null)" 

**Phase 1: Completed pre-decoding.
       full event: '08/28/2018  09:25 "active-response/bin/netsh.cmd" delete "-" "1.2.3.4" "1535465731.23945822 18258 (some-hostname) any->WinEvtLog (null)"'
       timestamp: '(null)'
       hostname: 'manager1'
       program_name: '(null)'
       log: '08/28/2018  09:25 "active-response/bin/netsh.cmd" delete "-" "1.2.3.4" "1535465731.23945822 18258 (some-hostname) any->WinEvtLog (null)"'

**Phase 2: Completed decoding.
       decoder: 'ar_log'
       script: 'netsh.cmd'
       type: 'delete'
       srcip: '1.2.3.4'
       id: '1535465731.23945822'
       extra_data: '18258'

**Phase 3: Completed filtering (rules).
       Rule id: '607'
       Level: '3'
       Description: 'Active response: netsh.cmd - delete'
**Alert to be generated.

@frgv
Fix active response decoders
e52beeb 
Adds compatibility with default netsh.cmd script.
@frgv frgv requested a review from jesuslinares August 28, 2018 17:03
@jesuslinares jesuslinares merged commit ec0a059 into 3.6 Aug 29, 2018
@jesuslinares jesuslinares deleted the Fixing-Active-Response-Decoders branch August 29, 2018 18:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jesuslinares jesuslinares Awaiting requested review from jesuslinares

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@frgv @jesuslinares