sysmon-config icon indicating copy to clipboard operation
sysmon-config copied to clipboard

Published 20 hours ago verified publisher icon SwiftOnSecurity

Event IDs with both Include and Exclude Filters

Open itpropaul opened this issue 5 years ago • 6 comments

Regarding "z-AlphaVersion.xml":

It appears that Event IDs that have both Include and Exclude filter sets are only processing one or the other filter set. For example when I run sysmon -c to view the current configuration, it only shows the Include filter set for both FileCreateTime and NetworkConnect.

I have tested on both Sysmon v10.0 and v10.1.

itpropaul avatar Jun 14 '19 17:06 itpropaul

There could just be a sysmon -c view issue that's preventing the excludes in those two Event IDs from being displayed. The main issue I have though is that I added a NetworkConnect exclusion for Loopback addresses: <!--Section: Loopback Addresses--> <DestinationIp condition="is">127.0.0.1</DestinationIp> <DestinationIp condition="begin with">fe80:0:0:0</DestinationIp>

and it didn't work. Adding this same config to the original config file, sysmonconfig-export.xml, with Sysmon v9, does work.

Creating pull request for sysmonconfig-export.xml, with this addition now.

itpropaul avatar Jun 14 '19 21:06 itpropaul

I've spoken with another colleague who also wasn't able to get additional exclusions working for Event ID 3 in z-AlphaVersion.xml. He came to this finding completely separate from me.

itpropaul avatar Jun 26 '19 12:06 itpropaul

I ran into a similar issue with v10.2, where entire sections were not showing in sysmon -c, as well as issues with exclusions I added not working. Making the include and exclude rules into separate rule groups seems to have made it work the way I wanted it to, and displays correctly when running sysmon -c. Unless there are unintended consequences of formatting it this way that I'm not aware of, this seems to have fixed my issues.

Like this:

<RuleGroup name="" groupRelation="or">
		<NetworkConnect onmatch="include">
		</NetworkConnect>
</RuleGroup>
<RuleGroup name="" groupRelation="or">
		<NetworkConnect onmatch="exclude">
		</NetworkConnect>
</RuleGroup>

grokdesigns avatar Jul 03 '19 19:07 grokdesigns

@grokdesigns I'm on 10.2 now as well. I made your recommended change of breaking out inclusions/exclusions for the same event types into different rule groups. That fixed it for me on Event Type 3. Thanks for this tip man!!

itpropaul avatar Jul 08 '19 17:07 itpropaul

@grokdesigns Thanks for the tip, this fixed my issues as well.

81Denton avatar Aug 01 '19 07:08 81Denton

We also had this issue, thanks @grokdesigns

vedard avatar Aug 15 '19 20:08 vedard