Hello
Thanks for your reply.
The events are coming from Active Directory running SNARE, then
forward the events to Syslog-NG
Ossec tails the syslog-ng dedicated log.
Does it help ?
Kind regards
On Dec 23, 5:18 pm, "dan (ddp)" <ddp...@gmail.com> wrote:
> These event messages seem odd. Running the first one through logtest
> gives me the following:
> 2010/12/23 11:12:21 ossec-testrule: INFO: Reading local decoder file.
> 2010/12/23 11:12:21 ossec-testrule: INFO: Started (pid: 25248).
> ossec-testrule: Type one log per line.
>
> Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1
> Security 19699453 Thu: Dec 23 09:08:15 2010 680
> Security USERXXX User Success Audit DOMAINCONTROLERNAME
> Account Logon Logon attempt by:
> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT
> Source Workstation: STATIONNAMEXXX Error Code: 0x0
> 19695682
>
> **Phase 1: Completed pre-decoding.
> full event: 'Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME
> MSWinEventLog 1 Security 19699453 Thu: Dec 23 09:08:15
> 2010 680 Security USERXXX User Success Audit
> DOMAINCONTROLERNAME Account Logon Logon attempt by:
> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT
> Source Workstation: STATIONNAMEXXX Error Code: 0x0
> 19695682 '
> hostname: '1.1.1.1'
> program_name: '(null)'
> log: 'DOMAINCONTROLERNAME MSWinEventLog 1 Security
> 19699453 Thu: Dec 23 09:08:15 2010 680 Security
> USERXXX User Success Audit DOMAINCONTROLERNAME Account Logon
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon
> account: USERACCOUNT Source Workstation: STATIONNAMEXXX Error Code:
> 0x0 19695682 '
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> **Phase 3: Completed filtering (rules).
> Rule id: '1002'
> Level: '2'
> Description: 'Unknown problem somewhere in the system.'
> **Alert to be generated.
>
> How are these messages being passed to OSSEC?
>
>
>
>
>
>
>
> On Thu, Dec 23, 2010 at 3:34 AM, Js Opdebeeck <js.opdebe...@gmail.com> wrote:
> > Hello
>
> > Rule: 1002 'Unknown problem somewhere in the system.' represent 45% of
> > the Alerts and
>
> > Here are 2 kind of alert that should be passed to 0 or at least
> > correctly classified.
> > Those are 'Failures' and 'Errors' but a I thought it will be handled
> > by 'msauth_rules.xml'
>
> > Did someone already RE-classified this kind of rules ? If not , I'll
> > probably have to ( mute them at least)
>
> > ** Alert 1293091695.18221016: - syslog,errors,
> > 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log
> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> > Src IP: (none)
> > User: (none)
> > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1
> > Security 19699453 Thu: Dec 23 09:08:15 2010 680
> > Security USERXXX User Success Audit DOMAINCONTROLERNAME
> > Account Logon Logon attempt by:
> > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT
> > Source
> > Workstation: STATIONNAMEXXX Error Code: 0x0 19695682
>
> > ** Alert 1293091695.18219733: - syslog,errors,
> > 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log
> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> > Src IP: (none)
> > User: (none)
> > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1
> > Security 19699449 Thu: Dec 23 09:08:14 2010 673
> > Security SYSTEM User Success Audit DOMAINCONTROLERNAME
> > Account Logon Service Ticket Request: User Name:
> > stationna...@petercam.corp User Domain: PETERCAM.CORP Service
> > Name:
> > krbtgt Service ID: %{S-1-5-21-1424381949-1679034567-623647154-502}
> > Ticket Options: 0x60810010 Ticket Encryption Type: 0x17 Client
> > Address: 10.10.10.1 Failure Code: - Logon GUID:
> > {d3ba7bf0-795b-27fd-f4a8-d70ed4268f72} Transited Services: -
> > 19695678
>
> > Kind regards
>
> > Js Op de Beeck
