I believe I have now managed to solve my rule 18152 issue with the following rule. I was getting events generated every 30 mins and I've now not had any for the last 3 hours.
I just thought I should post what I'd done in case it helps anybody else in future, or of course in case anybody spots a fatal flaw in what I've done :^) <rule id="100001" level="0"> <if_level>10</if_level> <hostname>SERVER-NAME</hostname> <if_sid>18152</if_sid> <description>Ignoring SERVER-NAME</description> </rule> On 5 January 2011 09:37, Chris Tweed <christwee...@gmail.com> wrote: > This is my first posting to this list having rolled OSSEC HIDS out to an > estate of around 800 Windows based machines towards the end of last year as > part of our PCI compliance strategy. > > Everything is running very smoothly and I just have one niggle, rule 18152. > I have made a few other simple rule changes successfully, but so far I have > been unable to work out a solution for this one myself and I feel like I > could do with a bit of help. > > For various quite legitimate reasons none of the 800 aforementioned Windows > machines are part of a domain, however another part of our security system > does sit on our domain and is creating invalid login attempt events from the > domain administrator account every time it accesses one of the machines in > our OSSEC estate. > > Rule 18152 is fired and presents the following information, which I have > edited for the sakes of privacy. “CLIENT001” was the original Windows > machine name of the PC where the OSSEC agent is installed, “DOMAIN-NAME” is > the name of the Windows domain where the Windows server in question resides > and “SERVER-NAME” is the name of the Windows 2008 Server machine which is > producing the logon failures :- > > WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: > CLIENT001 : Logon Failure: Reason: Unknown user name or bad password > User Name: Administrator Domain: DOMAIN-NAME Logon Type: 3 > Logon Process: NtLmSsp Authentication Package: > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: SERVER-NAME > > Of course I want to retain logon failure events, however I know about these > failed logon attempts from SERVER-NAME and as the server in questions make a > connection every 30 minutes… well, lets just say that the events are going > to mount up a bit from an estate of 800 OSSEC installations (48 x 800 = > 38400 event notifications per day). At the moment the Windows 2008 Server is > only configured to connect to a small number of client machines and I can’t > really continue with the roll out of that part of our security system until > this issue is resolved. > > I’m thinking that there must be a way to overwrite rule 18152 with a > version in local_rules which will ignore any alerts mentioning “SERVER-NAME” > in the event, but I have been unable to figure out a way to do this. > > Any help that anybody can offer to help me solve this would be greatly > appreciated, > > Regards and thank you for reading, > > Chris > > >