Merge pull request #611 from ddpbsd/sysmon_bm

Sysmon decoder update

contrib/ossec-testing/tests/sysmon.ini

@@ -9,3 +9,10 @@ log 1 pass = 2014 Dec 20 12:15:13 (HME-TEST-01) 10.0.15.14->WinEvtLog 2014 Dec 2
 rule = 184667
 alert = 0
 decoder = Sysmon-EventID#1
+
+[Windows Event]
+2015 Mar 30 15:47:04 WinEvtLog: System: INFORMATION(1): Sysmon: UserName: SYSTEM-NAME: SYSTEM-NAME: Process Create:      UtcTime: 3/30/2015 10:47:04.494 PM      ProcessGuid: {7531FA7E-D268-5519-0000-00105DF81A06}      ProcessId: 4388      Image: C:\WINDOWS\system32\cmd.exe      CommandLine: "C:\windows\system32\cmd.exe"       User: SYSTEM-NAME\UserName      LogonGuid: {7531FA7E-CFE1-5519-0000-0020F62C1906}      LogonId: 0x6192cf6      TerminalSessionId: 3      IntegrityLevel: no level      HashType: SHA1      Hash: 254E37EC33C921C5AB253F14F9274F349B3CCC2D      ParentProcessGuid: {7531FA7E-CFE2-5519-0000-0010CC5A1906}      ParentProcessId: 1008      ParentImage: C:\WINDOWS\explorer.exe      ParentCommandLine: C:\windows\Explorer.EXE
+rule = 18101
+alert = 0
+decoder = Sysmon-EventID#1
+

etc/decoder.xml

@@ -2636,7 +2636,7 @@ Author and (c): Michael Starks, 2014 -->
 <decoder name="Sysmon-EventID#1">
 <type>windows</type>
 <prematch>INFORMATION\(1\)</prematch>
-<regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User: (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel: \S* \s*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:</regex>
+<regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User: (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:</regex>
 <order>status,user,url,data</order>
 </decoder>