I have been receiving alerts from a Windows 2008 server for rule 18152 (multiple logon failures) and I was wondering why the server was not using active response to blackhole the source IP. I found a few responses on here stating that rule 18152 does not pull the source IP from the log files and that a custom decoder was needed to do so. I tried, and failed, so I am seeking any help that someone can give.
Here is the sanitized alert: WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: System01: An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: System01$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 10 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: test Account Domain: System01 Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x2f4 Caller Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: System01 Source Network Address: 111.222.333.444 Source Port: 1234 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. Here is the closest I have made it using a custom decoder: <decoder name="windows"> <type>windows</type> <prematch>^WinEvtLog: </prematch> <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex> <regex>(\.+): \.+: (\S+): \.+: \.+: \.+: \.+: \.+: \.+: \.+: </regex> <regex> \.+: \.+: \.+: \.+: \.+: \.+: \.+: \.+: (\.+): \.+: (\.+):</regex> <order>status, id, extra_data, user, system_name, srcip, srcip2 </order> <fts>name, location, user, system_name, srcip, srcip2</fts> </decoder> When I test this using the ossec-logtest program, this is the response: **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '4625' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: 'web01' srcip: ' Caller Process ID' srcip: 'C' **Phase 3: Completed filtering (rules). Rule id: '18106' Level: '5' Description: 'Windows Logon Failure.' **Alert to be generated. And after testing it multiple times, I get the 18152 rule: **Phase 3: Completed filtering (rules). Rule id: '18152' Level: '10' Description: 'Multiple Windows Logon Failures.' **Alert to be generated. I used srcip2 to see where the decoder was failing at. It appears that it is failing at the windows path "C:\Windows\System32\winlogon.exe". I can get it to read the C, but I cannot get it to get past that section in the decoder. If I use the standard "\.+:" to skip to the next : (colon), it changes the decoding to this: **Phase 2: Completed decoding. decoder: 'windows' **Phase 3: Completed filtering (rules). Rule id: '18100' Level: '0' Description: 'Group of windows rules.' Any ideas on how to write a decoder and pull the source IP address from that event? Frank
