On Tuesday, November 6, 2012 4:58:24 PM UTC, dan (ddpbsd) wrote: > > On Tue, Nov 6, 2012 at 11:19 AM, Chris H <chris....@gmail.com<javascript:>> > wrote: > > > > > > On Tuesday, November 6, 2012 2:25:42 PM UTC, dan (ddpbsd) wrote: > >> > >> On Tue, Nov 6, 2012 at 8:17 AM, Chris H <chris....@gmail.com> wrote: > >> > OK, in further digging, it doesn't work. It seemed to work under > >> > ossec-logtest, but no alerts were firing in the real world. > >> > > >> > The issue I'm having is the multiple attempts alerts are firing if 10 > >> > logins > >> > fail, regardless of the user, because they all show as the SYSTEM > user. > >> > > >> > Thanks > >> > > >> > >> Which alert is firing? > > > > > > The alert is 18152 (Multiple Windows Logon Failures), which triggers > after 6 > > events. I've got one example email alert with 5 separate users in it! > > > > 18152 does not require the username to be the same: > > <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240"> > <if_matched_group>win_authentication_failed</if_matched_group> > <description>Multiple Windows Logon Failures.</description> > <group>authentication_failures,</group> > </rule> >
I appreciate that, but based on the way it extracts the username I can't turn it on. What I'd really like is 2 separate alerts, one for multiples of the same user, and one for different users from the same IP. I need to extract the fields to be able to do this. > > > Also, sometimes it will send an email over a dozen level 3 events at the > > top, then the level 10 event at the bottom. > > > > That's normal. > > OK > >> > >> > >> > > >> > On Tuesday, November 6, 2012 11:13:24 AM UTC, Chris H wrote: > >> >> > >> >> Hi, > >> >> > >> >> I'm passing log files from Domain Controllers via the OSSEC agent, > and > >> >> trying to refine the decoders for logon events. As standard, the > event > >> >> logs > >> >> the User as SYSTEM, as this is what raises the event. The event > logs > >> >> contain the User Name and Client IP. I've added a new decoder to > >> >> local_decoder.xml, and can extract the proper username, but I'm > >> >> struggling > >> >> to capture the IP address: > >> >> > >> >> This works to extract the user name for events 672, 673 or 675 > (which > >> >> seem > >> >> the relevant ones): > >> >> > >> >> <decoder name="windows_login"> > >> >> <type>windows</type> > >> >> <parent>windows</parent> > >> >> <prematch>\((672)|(673)|(675)\)</prematch> > >> >> <regex>^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: > >> >> (\S+):\.*:\s+User Name:\s+(\S+)\s+</regex> > >> >> <order>status,id,extra_data,system_name,user</order> > >> >> </decoder> > >> >> > >> >> > >> >> but this regex fails: > >> >> <regex>^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: > >> >> (\S+):\.*:\s+User > >> >> Name:\s+(\S+)\s+\.+Client Address:(\d+.\d+.\d+.\d+)</regex> > >> >> > >> >> > >> >> > >> >> Any ideas? Here are some sample logs: > >> >> > >> >> WinEvtLog: Security: AUDIT_FAILURE(672): Security: SYSTEM: NT > >> >> AUTHORITY: > >> >> DC04: Authentication Ticket Request: User Name: > tony.hodgson > >> >> Supplied Realm Name: domain.co.uk User ID: - > >> >> Service Name: krbtgt/4ucore.4ultd.co.uk Service ID: - > >> >> Ticket Options: 0x40810010 Result Code: 0x6 > Ticket > >> >> Encryption Type: - Pre-Authentication Type: - Client > >> >> Address: > >> >> 10.250.0.12 Certificate Issuer Name: Certificate Serial > >> >> Number: > >> >> Certificate Thumbprint: > >> >> > >> >> WinEvtLog: Security: AUDIT_SUCCESS(672): Security: SYSTEM: NT > >> >> AUTHORITY: > >> >> DC04: Authentication Ticket Request: User Name: > >> >> pas.components Supplied Realm Name: DOMAIN User ID: > >> >> %{S-1-5-21-1577433185-774302318-2220402944-3242} Service Name: > >> >> krbtgt Service ID: > >> >> %{S-1-5-21-1577433185-774302318-2220402944-502} Ticket > Options: > >> >> 0x40810010 Result Code: - Ticket Encryption Type: 0x17 > >> >> Pre-Authentication Type: 2 Client Address: 172.19.83.24 > >> >> Certificate Issuer Name: Certificate Serial Number: > >> >> Certificate > >> >> Thumbprint: > >> >> > >> >> WinEvtLog: Security: AUDIT_SUCCESS(673): Security: SYSTEM: NT > >> >> AUTHORITY: > >> >> DC04: Service Ticket Request: User Name: > >> >> Geoff.Fisher@DOMAIN > >> >> User Domain: DOMAIN.CO.UK Service Name: LSG-CBP-DC03$ > >> >> Service ID: %{S-1-5-21-1577433185-774302318-2220402944-36611} > >> >> Ticket Options: 0x40800000 Ticket Encryption Type: 0x17 > >> >> Client Address: 172.19.84.46 Failure Code: - > >> >> Logon GUID: {a2767528-fbdc-b2f5-1cfb-1c204e97a4e0} > Transited > >> >> Services: - > >> >> > >> >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT > >> >> AUTHORITY: > >> >> DC04: Pre-authentication failed: User Name: W-NMAPP-01$ > User > >> >> ID: > >> >> %{S-1-5-21-1577433185-774302318-2220402944-40192} Service > Name: > >> >> krbtgt/DOMAIN.CO.UK Pre-Authentication Type: 0x0 Failure > >> >> Code: > >> >> 0x19 Client Address: 172.19.93.6 > >> >> > >> >> > >> >> Thanks. >