s/Microsoft/Windows/ -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH
-----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Chad Sent: Friday, June 17, 2011 12:42 To: ossec-list Subject: [ossec-list] OSSEC False Positives Hey guys, I know this has been covered at least a dozen times on the board, but I can't for the life of me figure this out. I'm hoping someone can help. I am trying to suppress alerts from "Multiple Windows audit failure events." Below I have posted the entire alert: Rule: 18153 fired (level 10) -> "Multiple Windows audit failure events." Portion of the log(s): WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security- Auditing: (no user): no domain: ********.com: The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: % %14592 Source Address: 172.22.128.3 Source Port: 2727 Destination Address: 255.255.255.255 Destination Port: 48002 Protocol: 17 Filter Information: Filter Run-Time ID: 65606 Layer Name: %%14597 Layer Run-Time ID: 13 I have written a rule, following instructions on the below URLs, to no avail. http://groups.google.com/group/ossec-list/browse_thread/thread/810b25f9e51ecde9/d6d870cc177b6ac0?lnk=gst&q=rule+18153#d6d870cc177b6ac0 http://groups.google.com/group/ossec-list/browse_thread/thread/9c8f8f9d78c7fa48/6e1b23b8ed873cb6?lnk=gst&q=rule+18153#6e1b23b8ed873cb6 Here is the rule I have written in local_rules currently: <rule id="100001" level="0"> <if_sid>18105</if_sid> <match>^Microsoft Filtering Platform has dropped a packet</match> <description>Ignore WFP packet drops</description> </rule> I've tried changing the match tags to <regex>, using <srcip>, etc., per the instructions from the links above, only to wind up with the same results. Next, I ran the event through ossec-logtest. Here are the results from it: WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security- Auditing: (no user): no domain: ******.com: The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: **Phase 1: Completed pre-decoding. full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: ********.com: The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: ' hostname: 'ossec' program_name: '(null)' log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft- Windows-Security-Auditing: (no user): no domain: ********.com: The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: ' **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '5152' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: '******' **Rule debugging: Trying rule: 6 - Generic template for all windows rules. *Rule 6 matched. *Trying child rules. Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. Trying rule: 18100 - Group of windows rules. *Rule 18100 matched. *Trying child rules. Trying rule: 18101 - Windows informational event. Trying rule: 18102 - Windows warning event. Trying rule: 18104 - Windows audit success event. Trying rule: 18103 - Windows error event. Trying rule: 18105 - Windows audit failure event. *Rule 18105 matched. *Trying child rules. Trying rule: 18120 - Windows login attempt (ignored). Duplicated. Trying rule: 100001 - Ignore WFP packet drops Trying rule: 18153 - Multiple Windows audit failure events. Trying rule: 18106 - Windows Logon Failure. Trying rule: 18139 - Windows DC Logon Failure. Trying rule: 18180 - MS SQL Server Logon Failure. Trying rule: 18108 - Failed attempt to perform a privileged operation. **Phase 3: Completed filtering (rules). Rule id: '18105' Level: '4' Description: 'Windows audit failure event.' **Alert to be generated. I'm hoping someone can point me in the right direction on this. Thanks in advance!