On Tuesday, November 6, 2012 4:58:24 PM UTC, dan (ddpbsd) wrote:
>
> On Tue, Nov 6, 2012 at 11:19 AM, Chris H <chris....@gmail.com<javascript:>>
> wrote:
> >
> >
> > On Tuesday, November 6, 2012 2:25:42 PM UTC, dan (ddpbsd) wrote:
> >>
> >> On Tue, Nov 6, 2012 at 8:17 AM, Chris H <chris....@gmail.com> wrote:
> >> > OK, in further digging, it doesn't work. It seemed to work under
> >> > ossec-logtest, but no alerts were firing in the real world.
> >> >
> >> > The issue I'm having is the multiple attempts alerts are firing if 10
> >> > logins
> >> > fail, regardless of the user, because they all show as the SYSTEM
> user.
> >> >
> >> > Thanks
> >> >
> >>
> >> Which alert is firing?
> >
> >
> > The alert is 18152 (Multiple Windows Logon Failures), which triggers
> after 6
> > events. I've got one example email alert with 5 separate users in it!
> >
>
> 18152 does not require the username to be the same:
>
> <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240">
> <if_matched_group>win_authentication_failed</if_matched_group>
> <description>Multiple Windows Logon Failures.</description>
> <group>authentication_failures,</group>
> </rule>
>
I appreciate that, but based on the way it extracts the username I can't
turn it on. What I'd really like is 2 separate alerts, one for multiples
of the same user, and one for different users from the same IP. I need to
extract the fields to be able to do this.
>
> > Also, sometimes it will send an email over a dozen level 3 events at the
> > top, then the level 10 event at the bottom.
> >
>
> That's normal.
>
> OK
> >>
> >>
> >> >
> >> > On Tuesday, November 6, 2012 11:13:24 AM UTC, Chris H wrote:
> >> >>
> >> >> Hi,
> >> >>
> >> >> I'm passing log files from Domain Controllers via the OSSEC agent,
> and
> >> >> trying to refine the decoders for logon events. As standard, the
> event
> >> >> logs
> >> >> the User as SYSTEM, as this is what raises the event. The event
> logs
> >> >> contain the User Name and Client IP. I've added a new decoder to
> >> >> local_decoder.xml, and can extract the proper username, but I'm
> >> >> struggling
> >> >> to capture the IP address:
> >> >>
> >> >> This works to extract the user name for events 672, 673 or 675
> (which
> >> >> seem
> >> >> the relevant ones):
> >> >>
> >> >> <decoder name="windows_login">
> >> >> <type>windows</type>
> >> >> <parent>windows</parent>
> >> >> <prematch>\((672)|(673)|(675)\)</prematch>
> >> >> <regex>^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+:
> >> >> (\S+):\.*:\s+User Name:\s+(\S+)\s+</regex>
> >> >> <order>status,id,extra_data,system_name,user</order>
> >> >> </decoder>
> >> >>
> >> >>
> >> >> but this regex fails:
> >> >> <regex>^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+:
> >> >> (\S+):\.*:\s+User
> >> >> Name:\s+(\S+)\s+\.+Client Address:(\d+.\d+.\d+.\d+)</regex>
> >> >>
> >> >>
> >> >>
> >> >> Any ideas? Here are some sample logs:
> >> >>
> >> >> WinEvtLog: Security: AUDIT_FAILURE(672): Security: SYSTEM: NT
> >> >> AUTHORITY:
> >> >> DC04: Authentication Ticket Request: User Name:
> tony.hodgson
> >> >> Supplied Realm Name: domain.co.uk User ID: -
> >> >> Service Name: krbtgt/4ucore.4ultd.co.uk Service ID: -
> >> >> Ticket Options: 0x40810010 Result Code: 0x6
> Ticket
> >> >> Encryption Type: - Pre-Authentication Type: - Client
> >> >> Address:
> >> >> 10.250.0.12 Certificate Issuer Name: Certificate Serial
> >> >> Number:
> >> >> Certificate Thumbprint:
> >> >>
> >> >> WinEvtLog: Security: AUDIT_SUCCESS(672): Security: SYSTEM: NT
> >> >> AUTHORITY:
> >> >> DC04: Authentication Ticket Request: User Name:
> >> >> pas.components Supplied Realm Name: DOMAIN User ID:
> >> >> %{S-1-5-21-1577433185-774302318-2220402944-3242} Service Name:
> >> >> krbtgt Service ID:
> >> >> %{S-1-5-21-1577433185-774302318-2220402944-502} Ticket
> Options:
> >> >> 0x40810010 Result Code: - Ticket Encryption Type: 0x17
> >> >> Pre-Authentication Type: 2 Client Address: 172.19.83.24
> >> >> Certificate Issuer Name: Certificate Serial Number:
> >> >> Certificate
> >> >> Thumbprint:
> >> >>
> >> >> WinEvtLog: Security: AUDIT_SUCCESS(673): Security: SYSTEM: NT
> >> >> AUTHORITY:
> >> >> DC04: Service Ticket Request: User Name:
> >> >> Geoff.Fisher@DOMAIN
> >> >> User Domain: DOMAIN.CO.UK Service Name: LSG-CBP-DC03$
> >> >> Service ID: %{S-1-5-21-1577433185-774302318-2220402944-36611}
> >> >> Ticket Options: 0x40800000 Ticket Encryption Type: 0x17
> >> >> Client Address: 172.19.84.46 Failure Code: -
> >> >> Logon GUID: {a2767528-fbdc-b2f5-1cfb-1c204e97a4e0}
> Transited
> >> >> Services: -
> >> >>
> >> >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT
> >> >> AUTHORITY:
> >> >> DC04: Pre-authentication failed: User Name: W-NMAPP-01$
> User
> >> >> ID:
> >> >> %{S-1-5-21-1577433185-774302318-2220402944-40192} Service
> Name:
> >> >> krbtgt/DOMAIN.CO.UK Pre-Authentication Type: 0x0 Failure
> >> >> Code:
> >> >> 0x19 Client Address: 172.19.93.6
> >> >>
> >> >>
> >> >> Thanks.
>
