This is a stretch being that this appears to be dead, but any luck with it? I'm attempting to do the something very similar. Wish to disregard failed logons of a specific user.
On Thursday, February 2, 2012 10:57:52 AM UTC-5, Jeremy Schultz wrote: > > I knew I was missing something simple, overwrite="yes". > I do vaguely remember reading about this option. Yes, it is here: > http://www.ossec.net/wiki/Know_How:Email_Alerts_below_7 > > Dan, your suggestion did not work. it was still preferring the 18152. > Although I took your suggestion and did the following. > > <!-- We will overwrite the default rule and > -- add a check to make sure it is the same user > --> > <rule id="18152" level="10" frequency="8" timeframe="240" > overwrite="yes"> > <if_matched_group>win_authentication_failed</if_matched_group> > <same_user /> > <description>Possible Brute force attack against windows logins > (10 failures within 2 minutes).</description> > <group>authentication_failures,</group> > </rule> > > > <!-- This rule is a copy of the original 18152 > -- It will capture any other multiple failed attempts at a lower > -- alert level > --> > <rule id="100300" level="8" frequency=10" timeframe="240"> > <if_matched_group>win_authentication_failed</if_matched_group> > <description>Multiple Windows Logon Failures.</description> > <group>authentication_failures,</group> > </rule> > > This will fire 18152 (Possible Brute force) if the user is the same, > other wise it will fire the new rule 100300. > > > During my testing I do see that ossec is saying the user is SYSTEM and > not user1. I see that the decoder assigns dstuser: SYSTEM, which is > the attribute for Security. > > Rule: 18139 (level 5) -> 'Windows DC Logon Failure.' > User: SYSTEM > WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT > AUTHORITY: SERVER1: Pre-authentication failed: User Name: user1 > User ID: %{S-1-5-21-1296043670-581226567-3024351967-8251} > Service Name: krbtgt/KEYANO.LOCAL Pre-Authentication Type: 0x0 > Failure Code: 0x19 Client Address: 10.0.0.10 > > This means rule 100300 will never be fired, because any failed > attempts looks like it comes from the same user. > > Has anyone else encountered this? I will take a look at the decoder > later today to see what is going on. > > I may have to find or create a new log event for a failed logon > attempt. I have recently created a rule to ignore Pre-Authentication > fails (Failure Code: 0x18 and 0x19), since we are using windows 2003 > and windows 7. > -- See: > http://www.mcbsys.com/techblog/2009/12/windows-7-causes-675-0x19-security-errors-in-windows-2003-domain/ > > -- See: http://www.ossec.net/wiki/Know_How:Multiple_Failures_WindowsAD > > > > On Feb 2, 6:18 am, "dan (ddp)" <ddp...@gmail.com> wrote: > > On Wed, Feb 1, 2012 at 5:02 PM, alsdks <als...@gmail.com> wrote: > > > try that 18152 rule again in your local rules with overwrite="yes" > > > option , to overwrite the original rule and see how it goes . > > > > (WARNING: I do not know if this will work! Try it, see if it works. Or > not.) > > > > Combined with the above, you could try adding your rule 100300 to > > local_rules, and copy rule 18152 with the overwrite="yes" (and no > > other changes) below it. > > > > This might move the detection order to prefer the 100300 rule over > > 18152 when the same user is involved. Might not though, I can't test > > it at the moment. > > > > > > > > > > > > > > > > > On Feb 1, 11:20 pm, tao_zhyn <taoz...@gmail.com> wrote: > > >> I want to be notified if their are 10 failed logon attempts within 2 > > >> minutes from the same user. > > > > >> I know that rule 18152 sends an alert when their are 10 (8) failed > > >> attempts within 2 minutes. > > > > >> From msauth_rules.xml > > > > >> <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240"> > > >> <if_matched_group>win_authentication_failed</if_matched_group> > > >> <description>Multiple Windows Logon Failures.</description> > > >> <group>authentication_failures,</group> > > >> </rule> > > > > >> I have tried adding the following to my local_rules.xml > > > > >> <rule id="100300" level="10" frequency="8" timeframe="240"> > > >> <if_matched_group>win_authentication_failed</if_matched_group> > > >> <same_user /> > > >> <description>Possible Brute force attack against windows logins > > >> (10 failures within 2 minutes).</description> > > >> <group>authentication_failures,</group> > > >> </rule> > > > > >> When i use ossec_logtest the rule 18152 is fired, but never 100300. > > > > >> FYI: I have a file ossec_test file with 10 lines of the same bad > login > > >> for testing. > > > > >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT > > >> AUTHORITY: SERVER1: Pre-authentication failed: User Name: > > >> user1 User ID: % > > >> {S-1-5-21-1296043670-581226567-3024351967-8251} Service Name: > > >> krbtgt/DOMAIN.LOCAL > > >> Pre-Authentication Type: 0x0 Failure Code: 0x19 > Client > > >> Address: 10.0.0.10 > > > > >> --- > > > > >> I also tried the following in my local_rules.xml in the hope that it > > >> would override the one previously defined. > > > > >> <rule id="18152" level="10" frequency="8" timeframe="240"> > > >> <if_matched_group>win_authentication_failed</if_matched_group> > > >> <same_user /> > > >> <description>Multiple Windows Logon Failures. (Same User Test)</ > > >> description> > > >> <group>authentication_failures,</group> > > >> </rule> > > > > >> When I use ossec_logtest the old rule is fired, does not have "(Same > > >> User Test)" in the description. > > > > >> -- > > > > >> After some playing around I went back to my first try but modified > the > > >> frequecy. > > > > >> <rule id="100300" level="10" frequency="5" timeframe="240"> > > >> <if_matched_group>win_authentication_failed</if_matched_group> > > >> <same_user /> > > >> <description>Possible Brute force attack against windows logins > > >> (10 failures within 2 minutes).</description> > > >> <group>authentication_failures,</group> > > >> </rule> > > > > >> This would trigger the rule. If I increased the frequency to 6 then > > >> the rule 18152 would be triggered. > > > > >> Any idea at what I am doing wrong or pointers on how to do this > > >> correctly. > > > > >> Thanks