[ossec-list] Anyone have MSAUTH Custom Rules?

Thu, 30 Oct 2008 07:49:52 -0700 

Anyone have MSAUTH Custom rules written they would like to share out?

-Derek Morris

>
> In the most current msauth-rules.xml, eventid 680 is disabled, stating
> that it is a duplicate.  Unfortunately that is not the case.  A failed
> 680 event is how a Windows 2003 Server AD controller denotes a failed
> NTLM login.  A failed 672 is how it denotes failed Kerberos
> connections.
>
> These attempts will be most notable when a non-windows device attempts
> authentication using NTLM.
>
> As such, the default ruleset was missing many authentication failures
> in my environment.  I wrote the following local-rules.xml to cover
> this gap.  I also had to comment out rule 18121.
>
> <group name="local,">
>   <rule id="100000" level="0">
>         <description>User created rules</description>
>   </rule>
>
>   <rule id="100006" level="5">
>         <if_sid>18105</if_sid>
>         <id>^680</id>
>         <description>Windows NTLM Logon Failure.</description>
>         <group>win_authentication_failed,</group>
>   </rule>
>
>   <rule id="100007" level="7">
>         <if_sid>100006</if_sid>
>         <match>Error Code: 0xC0000064</match>
>         <description>Windows NTLM Logon Failure - Bad Username</
> description>
>         <group>win_authentication_failed,</group>
>   </rule>
>
>   <rule id="100008" level="5">
>         <if_sid>100006</if_sid>
>         <match>Error Code: 0xC000006A</match>
>         <description>Windows NTLM Logon Failure - Bad Password</
> description>
>         <group>win_authentication_failed,</group>
>   </rule>
>
>   <rule id="100009" level="7">
>         <if_sid>100006</if_sid>
>         <match>Error Code: 0xC0000234</match>
>         <description>Windows NTLM Logon Failure - Account Locked Out</
> description>
>         <group>win_authentication_failed,</group>
>   </rule>
>
>   <rule id="100010" level="7">
>         <if_sid>100006</if_sid>
>         <match>Error Code: 0xC0000072</match>
>         <description>Windows NTLM Logon Failure - Account Disabled</
> description>
>         <group>win_authentication_failed,</group>
>   </rule>
>
>   <rule id="100011" level="5">
>         <if_sid>100006</if_sid>
>         <match>Error Code: 0xC000006F</match>
>         <description>Windows NTLM Logon Failure - Account Time
> Restriction</description>
>         <group>win_authentication_failed,</group>
>   </rule>
>
>   <rule id="100012" level="5">
>         <if_sid>100006</if_sid>
>         <match>Error Code: 0xC0000070</match>
>         <description>Windows NTLM Logon Failure - Account Workstation
> Restriction</description>
>         <group>win_authentication_failed,</group>
>   </rule>
>
>   <rule id="100013" level="5">
>         <if_sid>100006</if_sid>
>         <match>Error Code: 0xC0000193</match>
>         <description>Windows NTLM Logon Failure - Account Expired</
> description>
>         <group>win_authentication_failed,</group>
>   </rule>
>
>   <rule id="100014" level="5">
>         <if_sid>100006</if_sid>
>         <match>Error Code: 0xC0000074</match>
>         <description>Windows NTLM Logon Failure - Password Expired</
> description>
>         <group>win_authentication_failed,</group>
>   </rule>
>
>   <rule id="100015" level="5">
>         <if_sid>100006</if_sid>
>         <match>Error Code: 0xC0000224</match>
>         <description>Windows NTLM Logon Failure - User Required To
> Change Password</description>
>         <group>win_authentication_failed,</group>
>   </rule>
>
> </group>
>
>

Reply via email to