The problem I found was that the Windows decoder in the server
/dev/ossec/etc/decoder.xml does not extract the "srcip", so you have nothing to
work with to block
Now this is what I replaced mine with:
<decoder name="windows">
<type>windows</type>
<prematch>^WinEvtLog: </prematch>
<regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+):</regex>
<regex> \.+: \.+: \.+: \.+: \.+: \.+: </regex>
<regex>\.+: \.+: \.+: \.+: \.+: \.+: \.+: \.+:</regex>
<regex>\.(\S+)</regex>
<order>status, id, extra_data, user, system_name, srcip</order>
<fts>name, location, user, system_name</fts>
</decoder>
Then, in /dev/ossec/rules/msauth.xml, I replaced rule 18152 with:
<rule id="181521" level="10" frequency="$MS_FREQ" timeframe="240">
<if_matched_group>win_authentication_failed</if_matched_group>
<same_source_ip />
<description>Multiple Windows Logon Failures Same IP.</description>
<group>authentication_failures,</group>
</rule>
<rule id="181522" level="10" frequency="$MS_FREQ" timeframe="240">
<if_matched_group>win_authentication_failed</if_matched_group>
<description>Multiple Windows Logon Failures.</description>
<group>authentication_failures,</group>
</rule>
I also dropped $MS_FREQ (start of msauth.xml) to 3
This works for me, and my Windows clients are well protected.
I am sure someone could write a far more eloquent decode Regex - sorry I'm just
coming to grips with that. I'm also uncertain if this will work against
anything other than Server 2003 for which it is written
But this is only the decoder that needs some tuning, the rest seems fine
Regards
Andy
-----Original Message-----
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Martin Gottlieb
Sent: Saturday, 23 April 2011 9:14 a.m.
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Active Response on Windows events
Thanks! I'll give that a try. Sorry if I wasn't entirely clear about this.
Martin
On 4/22/2011 5:12 PM, dan (ddp) wrote:
> Hi Martin,
>
> On Fri, Apr 22, 2011 at 5:08 PM, Martin Gottlieb<mar...@axion-it.net> wrote:
>> Shouldn't this block from the config on the OSSEC server:
>>
>> <active-response>
>> <!-- Firewall Drop response. Block the IP for
>> - 600 seconds on the firewall (iptables,
>> - ipfilter, etc).
>> -->
>> <command>firewall-drop</command>
>> <location>as</location>
>> <level>6</level>
>> <timeout>3600</timeout>
>> </active-response>
>>
>> cause the firewall drop script to be run on the server for any event
>> that is level 6 or higher, regardless of which agent it came from?
>> That's all I'm trying to accomplish, I don't need anything to run on
>> the Windows agent if I can get the firewall drop script to run on the
>> server.
>>
>> Thanks.
>>
>> Martin
>>
> Oh, I get it now. Your<location> field looks wrong. It should be
> <location>server</location>
> http://www.ossec.net/doc/syntax/head_ossec_config.active-responce.html
> #element-active-response.location
>
>> On 4/22/2011 4:58 PM, dan (ddp) wrote:
>>
>> Hi Martin,
>>
>> On Fri, Apr 22, 2011 at 4:37 PM, Martin Gottlieb<mar...@axion-it.net>
>> wrote:
>>
>> I guess what I'm trying to understand is this:
>>
>> When an event is triggered from a Linux agent, the firewall drop
>> script is run on the OSSEC server (in addition to the hosts deny
>> script being called on the agent). I don't recall doing anything
>> special to make this happen when I installed OSSEC, I assume it is
>> part of the default behavior.
>>
>> The default actions (if I'm reading
>> https://bitbucket.org/dcid/ossec-hids/src/4908b28513b0/etc/ossec-serv
>> er.conf
>> correctly) is that the script is run on the system where the log
>> message originated.
>> Unless you changed the configurations the scripts shouldn't be
>> running on both the server and the agents.
>>
>> When an event is triggered on a Windows agent, the firewall drop
>> script is NOT called on the server, but I would like it to be. I
>> would like the default behavior on Windows agents to be the same as
>> Linux agents, at least as far as what happens on the OSSEC server.
>> The Windows agent is obviously reporting the event to the server as
>> it logs it and reports it to me.
>>
>> Am I understanding the responses so far to mean that I have to write
>> a script to make this happen, and that the script needs to reside on
>> the Windows agent?
>>
>> Thanks again.
>>
>> Martin
>>
>> The script would have to reside on all of the systems you want it to
>> run on. Having it run on both Windows and Linux systems may be
>> difficult.
>>
>>
