I knew I was missing something simple, overwrite="yes". I do vaguely remember reading about this option. Yes, it is here: http://www.ossec.net/wiki/Know_How:Email_Alerts_below_7
Dan, your suggestion did not work. it was still preferring the 18152. Although I took your suggestion and did the following. <!-- We will overwrite the default rule and -- add a check to make sure it is the same user --> <rule id="18152" level="10" frequency="8" timeframe="240" overwrite="yes"> <if_matched_group>win_authentication_failed</if_matched_group> <same_user /> <description>Possible Brute force attack against windows logins (10 failures within 2 minutes).</description> <group>authentication_failures,</group> </rule> <!-- This rule is a copy of the original 18152 -- It will capture any other multiple failed attempts at a lower -- alert level --> <rule id="100300" level="8" frequency=10" timeframe="240"> <if_matched_group>win_authentication_failed</if_matched_group> <description>Multiple Windows Logon Failures.</description> <group>authentication_failures,</group> </rule> This will fire 18152 (Possible Brute force) if the user is the same, other wise it will fire the new rule 100300. During my testing I do see that ossec is saying the user is SYSTEM and not user1. I see that the decoder assigns dstuser: SYSTEM, which is the attribute for Security. Rule: 18139 (level 5) -> 'Windows DC Logon Failure.' User: SYSTEM WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: SERVER1: Pre-authentication failed: User Name: user1 User ID: %{S-1-5-21-1296043670-581226567-3024351967-8251} Service Name: krbtgt/KEYANO.LOCAL Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.0.0.10 This means rule 100300 will never be fired, because any failed attempts looks like it comes from the same user. Has anyone else encountered this? I will take a look at the decoder later today to see what is going on. I may have to find or create a new log event for a failed logon attempt. I have recently created a rule to ignore Pre-Authentication fails (Failure Code: 0x18 and 0x19), since we are using windows 2003 and windows 7. -- See: http://www.mcbsys.com/techblog/2009/12/windows-7-causes-675-0x19-security-errors-in-windows-2003-domain/ -- See: http://www.ossec.net/wiki/Know_How:Multiple_Failures_WindowsAD On Feb 2, 6:18 am, "dan (ddp)" <ddp...@gmail.com> wrote: > On Wed, Feb 1, 2012 at 5:02 PM, alsdks <als...@gmail.com> wrote: > > try that 18152 rule again in your local rules with overwrite="yes" > > option , to overwrite the original rule and see how it goes . > > (WARNING: I do not know if this will work! Try it, see if it works. Or not.) > > Combined with the above, you could try adding your rule 100300 to > local_rules, and copy rule 18152 with the overwrite="yes" (and no > other changes) below it. > > This might move the detection order to prefer the 100300 rule over > 18152 when the same user is involved. Might not though, I can't test > it at the moment. > > > > > > > > > On Feb 1, 11:20 pm, tao_zhyn <taoz...@gmail.com> wrote: > >> I want to be notified if their are 10 failed logon attempts within 2 > >> minutes from the same user. > > >> I know that rule 18152 sends an alert when their are 10 (8) failed > >> attempts within 2 minutes. > > >> From msauth_rules.xml > > >> <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240"> > >> <if_matched_group>win_authentication_failed</if_matched_group> > >> <description>Multiple Windows Logon Failures.</description> > >> <group>authentication_failures,</group> > >> </rule> > > >> I have tried adding the following to my local_rules.xml > > >> <rule id="100300" level="10" frequency="8" timeframe="240"> > >> <if_matched_group>win_authentication_failed</if_matched_group> > >> <same_user /> > >> <description>Possible Brute force attack against windows logins > >> (10 failures within 2 minutes).</description> > >> <group>authentication_failures,</group> > >> </rule> > > >> When i use ossec_logtest the rule 18152 is fired, but never 100300. > > >> FYI: I have a file ossec_test file with 10 lines of the same bad login > >> for testing. > > >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT > >> AUTHORITY: SERVER1: Pre-authentication failed: User Name: > >> user1 User ID: % > >> {S-1-5-21-1296043670-581226567-3024351967-8251} Service Name: > >> krbtgt/DOMAIN.LOCAL > >> Pre-Authentication Type: 0x0 Failure Code: 0x19 > >> Client > >> Address: 10.0.0.10 > > >> --- > > >> I also tried the following in my local_rules.xml in the hope that it > >> would override the one previously defined. > > >> <rule id="18152" level="10" frequency="8" timeframe="240"> > >> <if_matched_group>win_authentication_failed</if_matched_group> > >> <same_user /> > >> <description>Multiple Windows Logon Failures. (Same User Test)</ > >> description> > >> <group>authentication_failures,</group> > >> </rule> > > >> When I use ossec_logtest the old rule is fired, does not have "(Same > >> User Test)" in the description. > > >> -- > > >> After some playing around I went back to my first try but modified the > >> frequecy. > > >> <rule id="100300" level="10" frequency="5" timeframe="240"> > >> <if_matched_group>win_authentication_failed</if_matched_group> > >> <same_user /> > >> <description>Possible Brute force attack against windows logins > >> (10 failures within 2 minutes).</description> > >> <group>authentication_failures,</group> > >> </rule> > > >> This would trigger the rule. If I increased the frequency to 6 then > >> the rule 18152 would be triggered. > > >> Any idea at what I am doing wrong or pointers on how to do this > >> correctly. > > >> Thanks