And I sent it too soon. The second way, with only a single <match> statement worked. I'm now seeing "Failed Password" in my Splunk dashboard.
Any feedback/critiques for what I'm doing? I think I have a better idea now of what direction to go. -----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Sanders, Nate Sent: Friday, May 18, 2012 2:42 PM To: ossec-list@googlegroups.com Subject: RE: [ossec-list] Re: OSSEC large scale deployment Thinking about it, I tried this in local_rules.xml <rule id="100004" level="5"> <if_sid>18105</if_sid> <match>4771</match> <match>0x18</match> <description>Failed Password</description> <group>win_authentication_failed,</group> </rule> I also tried the above with ONLY the 2nd match statement (0x18). I see events triggering in the alert.log for this, but I see nothing in Splunk for the group "Failed Password". Does anyone know exactly where Splunk gets it's grouping from? On my OSSEC dashboard in Splunk I see, "Windows DC Logon Failure., Windows is shutting down, Windows audit failure event", all of these look to be taken right from <description> in the OSSEC rule, but the one above I created isn't showing up. root@ausossec01:/var/ossec/etc$ grep -c 18105 ../logs/alerts/alerts.log 4880 root@ausossec01:/var/ossec/etc$ grep -c 100004 ../logs/alerts/alerts.log 0 It looks like my rule is not triggering. Why? -----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Sanders, Nate Sent: Friday, May 18, 2012 11:21 AM To: ossec-list@googlegroups.com Subject: RE: [ossec-list] Re: OSSEC large scale deployment > You don't necessarily need a sub-decoder to do that. You can just write > a subordinate rule that matches on the failure code string in the event. > Decoders are only needed when you want to extract a specific part of the > log and match it up with a specific tag for correlation purposes. Help me wrap my brain around the actual design for this. It seems much more complicated than it sounds. The Goal: - alert for specific Event ID's that contain specific sub codes - don't alert on the parent ID unless you've verify the sub code matches - regroup Event ID's into better groups (Bad Password, Invalid Username, etc) Problems: - Original rule groupings contain multiple Event ID's per group - You have to silence the original rules, regroup the event IDs into new groups AND match the specific sub code per parent I'm having a hard time thinking about how to do this, on a mass scale of all the Windows Event IDs.
