On Wed, Feb 1, 2012 at 5:02 PM, alsdks <als...@gmail.com> wrote: > try that 18152 rule again in your local rules with overwrite="yes" > option , to overwrite the original rule and see how it goes . >
(WARNING: I do not know if this will work! Try it, see if it works. Or not.) Combined with the above, you could try adding your rule 100300 to local_rules, and copy rule 18152 with the overwrite="yes" (and no other changes) below it. This might move the detection order to prefer the 100300 rule over 18152 when the same user is involved. Might not though, I can't test it at the moment. > On Feb 1, 11:20 pm, tao_zhyn <taoz...@gmail.com> wrote: >> I want to be notified if their are 10 failed logon attempts within 2 >> minutes from the same user. >> >> I know that rule 18152 sends an alert when their are 10 (8) failed >> attempts within 2 minutes. >> >> From msauth_rules.xml >> >> <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240"> >> <if_matched_group>win_authentication_failed</if_matched_group> >> <description>Multiple Windows Logon Failures.</description> >> <group>authentication_failures,</group> >> </rule> >> >> I have tried adding the following to my local_rules.xml >> >> <rule id="100300" level="10" frequency="8" timeframe="240"> >> <if_matched_group>win_authentication_failed</if_matched_group> >> <same_user /> >> <description>Possible Brute force attack against windows logins >> (10 failures within 2 minutes).</description> >> <group>authentication_failures,</group> >> </rule> >> >> When i use ossec_logtest the rule 18152 is fired, but never 100300. >> >> FYI: I have a file ossec_test file with 10 lines of the same bad login >> for testing. >> >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT >> AUTHORITY: SERVER1: Pre-authentication failed: User Name: >> user1 User ID: % >> {S-1-5-21-1296043670-581226567-3024351967-8251} Service Name: >> krbtgt/DOMAIN.LOCAL >> Pre-Authentication Type: 0x0 Failure Code: 0x19 >> Client >> Address: 10.0.0.10 >> >> --- >> >> I also tried the following in my local_rules.xml in the hope that it >> would override the one previously defined. >> >> <rule id="18152" level="10" frequency="8" timeframe="240"> >> <if_matched_group>win_authentication_failed</if_matched_group> >> <same_user /> >> <description>Multiple Windows Logon Failures. (Same User Test)</ >> description> >> <group>authentication_failures,</group> >> </rule> >> >> When I use ossec_logtest the old rule is fired, does not have "(Same >> User Test)" in the description. >> >> -- >> >> After some playing around I went back to my first try but modified the >> frequecy. >> >> <rule id="100300" level="10" frequency="5" timeframe="240"> >> <if_matched_group>win_authentication_failed</if_matched_group> >> <same_user /> >> <description>Possible Brute force attack against windows logins >> (10 failures within 2 minutes).</description> >> <group>authentication_failures,</group> >> </rule> >> >> This would trigger the rule. If I increased the frequency to 6 then >> the rule 18152 would be triggered. >> >> Any idea at what I am doing wrong or pointers on how to do this >> correctly. >> >> Thanks