Hello Dan,
As it turn out , it doesn't work for ssh too .The cdb list lookup <list field="srcip" lookup="not_address_match_key">rules/ trusted_ips</list> is not working .Major disappointment ! Any ideas why it is not working ? What I am trying to achieve is for each successful login (via ssh,rdp etc ) check the source IP against a list of trusted IP's and if it is not there create an alert. Thank you ! On Dec 5, 3:00 am, alsdks <als...@gmail.com> wrote: > Well I changes it also as you suggested just to see but again no > luck... > > Whatever change I make to the rules , I have even tried to overwrite > rule 18107 but nothing ... > > Two things are what I am looking for : Event ID: 528 and whithin that > event logon type: 10 > Then do the lookup against that cdb list .... > > Whatever I do , however I try to syntax my rules , the alert triggers > at both occations .I can't figure out why . > Is it a Windows thingy ? But in logs coming to OSSEC I cannot see why > my rules don't work ... > > It is pretty clear what I am looking for ...There is only one (1) > event of id 528 and within that the Logon type 10.Why can't I pinpoint > this ... > Or maybe I can but for some reason the cdb list lookup doesn't work > for windows ...and the alert gets triggered because bot 528 and logon > type match at each occasion . > As if the logic stops there and doesn't go further to check the IPs in > across the list . > > I have reached a dead end :( > > Thank you > > On Dec 1, 6:42 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > > > > > > > > > On Wed, Nov 30, 2011 at 3:23 PM, alsdks <als...@gmail.com> wrote: > > > Hello Dan, > > > > Yes I run ossec-makelists (it said it did not need to be compiled) > > > > It is like this > > > <list>/var/ossec/rules/trusted_ips</list> > > > I don't know if this affects you since you put the full path in there, > > but lists should take the chroot into account. For instance, my lists: > > > <list>lists/blocked.txt.cdb</list> > > <list>lists/userlist.txt.cdb</list> > > > These are actually installed in /var/ossec/lists. > > > I'll try to set this up later to test. > > > > The list is not a problem as it works as expected for sshd logins . > > > > In windows however as stated I get alerted no matter if the IP is or > > > is not in the list. > > > > Thank you > > > > On Nov 28, 10:37 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > > >> On Thu, Nov 24, 2011 at 9:14 PM, alsdks <als...@gmail.com> wrote: > > >> > Hello, > > > >> > I have modified the windows event decoder as described in Daniel Cid's > > >> > blog (http://dcid.me/2011/04/running-multiple-ossec-decoders-on-the- > > >> > same-event/) and successfully now extract the source IP . > > > >> > I have created a cdb list which looks like this: > > >> > 10.10.10.1:trusted_ips > > >> > 10.10.10.2:trusted_ips > > >> > #....etc (from 1 to 20 that is,I do not paste it all to save some > > >> > space , you get the idea, could be any IP )# > > >> > 10.10.10.20:trusted_ips > > > >> > Now I want to get an alert whenever someone logins to Windows via > > >> > remote Desktop from an IP that is not is this list. Windows logs an > > >> > EVENT ID: 528 with LOGON TYPE: 10 that suits (or seems so ) my > > >> > needs . > > >> > For this I created the following rules : > > > >> > <rule id="100102" level="0"> > > >> > <if_sid>18107</if_sid> > > >> > <match>Logon Type: 10</match> > > >> > <description>Remote Interactive Login (Terminal Services) </ > > >> > description> > > >> > </rule> > > > >> > <rule id="100103" level="10"> > > >> > <if_sid>100102</if_sid> > > >> > <list field="srcip" lookup="not_address_match_key">rules/ > > >> > trusted_ips</list> > > >> > <description>Alert when a user succesfully logs in from an > > >> > unapproved source IP </description> > > >> > </rule> > > > >> > No matter how much I tweaked the rules around , with any combination I > > >> > could think of , the alert gets triggered . > > > >> > ** Alert 1322185660.134412: mail - local,syslog, > > >> > 2011 Nov 25 03:47:40 (testsrv) 10.10.10.1->WinEvtLog > > >> > Rule: 100103 (level 10) -> 'Alert when a user succesfully logs in from > > >> > an unapproved source IP ' > > >> > Src IP: 10.10.10.20 > > >> > User: Administrator > > >> > WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator: > > >> > OLDDOM: TESTSRV: Successful Logon: User Name: > > >> > administrator Domain: TESTDOM Logon ID: > > >> > (0x0,0x2D656E) Logon Type: 10 Logon Process: > > >> > User32 Authentication Package: Negotiate Workstation > > >> > Name: TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128- > > >> > f424fe653b09} Caller User Name: TESTSRV$ Caller Domain: > > >> > TESTDOM Caller Logon ID: (0x0,0x3E7) Caller > > >> > Process ID: 1688 Transited Services: - Source > > >> > Network Address: 10.10.10.20 Source Port: 49485 > > > >> > Ip 10.10.10.20 should not trigger the alert . > > > >> > Can anyone help what am I doing wrong , or how to make this work ? > > > >> > Thank you! > > > >> It works for me. Did you run `ossec-makelists`? > > >> How did you define the list in the manager's ossec.conf?