On Wed, Feb 1, 2012 at 5:02 PM, alsdks <als...@gmail.com> wrote:
> try that 18152 rule again in your local rules with overwrite="yes"
> option , to overwrite the original rule and see how it goes .
>
(WARNING: I do not know if this will work! Try it, see if it works. Or not.)
Combined with the above, you could try adding your rule 100300 to
local_rules, and copy rule 18152 with the overwrite="yes" (and no
other changes) below it.
This might move the detection order to prefer the 100300 rule over
18152 when the same user is involved. Might not though, I can't test
it at the moment.
> On Feb 1, 11:20 pm, tao_zhyn <taoz...@gmail.com> wrote:
>> I want to be notified if their are 10 failed logon attempts within 2
>> minutes from the same user.
>>
>> I know that rule 18152 sends an alert when their are 10 (8) failed
>> attempts within 2 minutes.
>>
>> From msauth_rules.xml
>>
>> <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240">
>> <if_matched_group>win_authentication_failed</if_matched_group>
>> <description>Multiple Windows Logon Failures.</description>
>> <group>authentication_failures,</group>
>> </rule>
>>
>> I have tried adding the following to my local_rules.xml
>>
>> <rule id="100300" level="10" frequency="8" timeframe="240">
>> <if_matched_group>win_authentication_failed</if_matched_group>
>> <same_user />
>> <description>Possible Brute force attack against windows logins
>> (10 failures within 2 minutes).</description>
>> <group>authentication_failures,</group>
>> </rule>
>>
>> When i use ossec_logtest the rule 18152 is fired, but never 100300.
>>
>> FYI: I have a file ossec_test file with 10 lines of the same bad login
>> for testing.
>>
>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT
>> AUTHORITY: SERVER1: Pre-authentication failed: User Name:
>> user1 User ID: %
>> {S-1-5-21-1296043670-581226567-3024351967-8251} Service Name:
>> krbtgt/DOMAIN.LOCAL
>> Pre-Authentication Type: 0x0 Failure Code: 0x19
>> Client
>> Address: 10.0.0.10
>>
>> ---
>>
>> I also tried the following in my local_rules.xml in the hope that it
>> would override the one previously defined.
>>
>> <rule id="18152" level="10" frequency="8" timeframe="240">
>> <if_matched_group>win_authentication_failed</if_matched_group>
>> <same_user />
>> <description>Multiple Windows Logon Failures. (Same User Test)</
>> description>
>> <group>authentication_failures,</group>
>> </rule>
>>
>> When I use ossec_logtest the old rule is fired, does not have "(Same
>> User Test)" in the description.
>>
>> --
>>
>> After some playing around I went back to my first try but modified the
>> frequecy.
>>
>> <rule id="100300" level="10" frequency="5" timeframe="240">
>> <if_matched_group>win_authentication_failed</if_matched_group>
>> <same_user />
>> <description>Possible Brute force attack against windows logins
>> (10 failures within 2 minutes).</description>
>> <group>authentication_failures,</group>
>> </rule>
>>
>> This would trigger the rule. If I increased the frequency to 6 then
>> the rule 18152 would be triggered.
>>
>> Any idea at what I am doing wrong or pointers on how to do this
>> correctly.
>>
>> Thanks
