Thinking about it, I tried this in local_rules.xml
<rule id="100004" level="5">
<if_sid>18105</if_sid>
<match>4771</match>
<match>0x18</match>
<description>Failed Password</description>
<group>win_authentication_failed,</group>
</rule>
I also tried the above with ONLY the 2nd match statement (0x18).
I see events triggering in the alert.log for this, but I see nothing in Splunk
for the group "Failed Password". Does anyone know exactly where Splunk gets
it's grouping from? On my OSSEC dashboard in Splunk I see, "Windows DC Logon
Failure., Windows is shutting down, Windows audit failure event", all of these
look to be taken right from <description> in the OSSEC rule, but the one above
I created isn't showing up.
root@ausossec01:/var/ossec/etc$ grep -c 18105 ../logs/alerts/alerts.log
4880
root@ausossec01:/var/ossec/etc$ grep -c 100004 ../logs/alerts/alerts.log
0
It looks like my rule is not triggering. Why?
-----Original Message-----
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Sanders, Nate
Sent: Friday, May 18, 2012 11:21 AM
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] Re: OSSEC large scale deployment
> You don't necessarily need a sub-decoder to do that. You can just write
> a subordinate rule that matches on the failure code string in the event.
> Decoders are only needed when you want to extract a specific part of the
> log and match it up with a specific tag for correlation purposes.
Help me wrap my brain around the actual design for this. It seems much more
complicated than it sounds.
The Goal:
- alert for specific Event ID's that contain specific sub codes
- don't alert on the parent ID unless you've verify the sub code matches
- regroup Event ID's into better groups (Bad Password, Invalid Username, etc)
Problems:
- Original rule groupings contain multiple Event ID's per group
- You have to silence the original rules, regroup the event IDs into new groups
AND match the specific sub code per parent
I'm having a hard time thinking about how to do this, on a mass scale of all
the Windows Event IDs.
