Okay, I finally figured out problem 1. Seems OSSEC only reports on level 5
or higher, that was fixed. Still stuck on issue 2 as to the conflicting
filtering rules.
On Thursday, July 20, 2017 at 1:53:04 PM UTC-5, Bob Boklewski wrote:
> I have two issues.
>
> 1. I cannot get rule 18107 in the msauth_rules.xml file to generate an
> alert, unless I put it as a local rule. This prebuilt rule should work.
> 2. I am trying to monitor successful logins and when testing the rule
> using the log below I can get it to produce an alert while in testing, but
> it sometimes filters using rule 18107 or sometimes rule 18119. It is
> random which rule shows up when testing. Neither ALERT shows up in
> SQUIL, unless I build the local rule, then it works.
>
> I listed the two test that show the different matched rules and the rules
> in place, which are the predefined rules that come with ossec.
>
>
> WinEvtLog: Security: AUDIT_SUCCESS(4624):
> Microsoft-Windows-Security-Auditing: SYSTEM: NT AUTHORITY: BB-Desktop: An
> account was successfully logged on. Subject: Security ID: S-1-5-18
> Account Name: BB-DESKTOP$ Account Domain: AVENTIS Logon ID: 0x3e7
> Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM
> Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID:
> {00000000-0000-0000-0000-000000000000} Process Information: Process ID:
> 0x38c Process Name: C:\Windows\System32\services.exe Network
> Information: Workstation Name: - Source Network Address: - Source Port:
> - Detailed Authentication Information: Logon Process: Advapi
> Authentication Package: Negotiate Transited Services: - Package Name
> (NTLM only): - Key Length: 0 This event is generated when a logon
> session is created. It is generated on the computer that was accessed.
>
> **Phase 2: Completed decoding.
> decoder: 'windows'
> status: 'AUDIT_SUCCESS'
> id: '4624'
> extra_data: 'Microsoft-Windows-Security-Auditing'
> dstuser: 'SYSTEM'
> system_name: 'BB-Desktop'
> **Phase 3: Completed filtering (rules).
> *Rule id: '18107'*
> Level: '3'
> Description: 'Windows Logon Success.'
> **Alert to be generated.
>
> *OR*
>
> **Phase 2: Completed decoding.
> decoder: 'windows'
> status: 'AUDIT_SUCCESS'
> id: '4624'
> extra_data: 'Microsoft-Windows-Security-Auditing'
> dstuser: 'SYSTEM'
> system_name: 'BB-Desktop'
> **Phase 3: Completed filtering (rules).
> * Rule id: '18119'*
> Level: '3'
> Description: 'First time this user logged in this system.'
> **Alert to be generated.
>
> *Rules*
> <rule id="18107" level="3">
> <if_sid>18104</if_sid>
> <id>^528$|^540$|^673$|^4624$|^4769$</id>
> <description>Windows Logon Success.</description>
> <group>authentication_success,</group>
> </rule>
>
> <rule id="18119" level="3">
> <if_sid>18107</if_sid>
> <options>alert_by_email</options>
> <if_fts />
> <description>First time this user logged in this system.</description>
> <group>authentication_success,</group>
> </rule>
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
