On 07/16/2014 09:55 PM, Lance A. Brown wrote:
I have a request to tune the output of Rule 18152: Multiple Windows
Logon Failures. They would like:
Ok, let's step through this. Unfortunately, we'll probably end up at a
point where I show that it won't work, but the process is important to
understand.
First, when attempting to tune a composite rule like this one, it's
usually best to refer to the atomic rule that it references. In this
case, it references a group, which of course is several rules, so your
reference rule would be the group instead,
1. More than 5 failed logins to a single user should be identified so we
can act on it.
OSSEC has a same_user option for this purpose, so the rule might look
something like this:
<rule id="100000" level="15" frequency="6" timeframe="240">
<group>win_authentication_failed,</group>
<same_user />
<description>Custom: multiple failed logins from the same
user</description>
</rule>
A few things to note here:
1. I used the value of 6 for frequency, which is what MS_FREQ is
expanded to in rules/msauth_rules.xml.
2. I increased the level to 15 to ensure that it will match before rule
18152.
3. Frequency of 6 does not mean 6 failed login attempts. It means 8.
This is due to a bug (IMHO) or a design decision
(http://marc.info/?l=ossec-list&m=129736702512080&w=2), depending on
your perspective.
So the English translation here is: If you see 8 failed logins from the
same user within 4 minutes, fire the rule.
Now I'm going to tell you why it probably won't work. The Windows
decoder probably isn't pulling the user name out properly for the
same_user option to work properly, and if it is, then it might be
SYSTEM. Windows often logs the user name as SYSTEM in the normal spot
where the user name should go with authentication failures. The reason,
I have been told, is that since Windows hasn't successfully
authenticated the user, that user name is not valid and so it uses
SYSTEM instead.
2. More than 10 failed logins to a single device for any user be
identified so we can act it.
This one is a bit easier. Instead of using <same_user />, use
<same_location /> instead. And, of course, pay heed to the frequency
note above.
3. All other instants of Windows Logon Failures should be set to lower
alert level
When you define specific rules that are meant to match on something and
they don't, OSSEC will continue processing rules until it finds one that
matches, or not. So write your rules most to least specific, and from
highest severity to lowest (except for level 0, which is processed
first), and then the last rule will match.
Hope this helps. Let me know if you have questions.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
