Hello,
I enabled logall option and got few logs related to ms_firewall_rules.xml.
Below is a sample:
2019 Jan 08 18:31:55 WinEvtLog: Security: AUDIT_SUCCESS(4956):
Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-CHUBILMO5N2:
Windows Firewall has changed the active profile. New Active Profile: Private
When I run this in the ossec-logtest I get the following result:
**Phase 1: Completed pre-decoding.
full event: '2019 Jan 08 18:31:55 WinEvtLog: Security:
AUDIT_SUCCESS(4956): Microsoft-Windows-Security-Auditing: (no user): no
domain: WIN-CHUBILMO5N2: Windows Firewall has changed the active profile.
New Active Profile: Private'
hostname: 'ubuntu'
program_name: 'WinEvtLog'
log: 'Security: AUDIT_SUCCESS(4956):
Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-CHUBILMO5N2:
Windows Firewall has changed the active profile. New Active Profile:
Private'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '4956'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'WIN-CHUBILMO5N2'
**Rule debugging:
Trying rule: 6 - Generic template for all windows rules.
*Rule 6 matched.
*Trying child rules.
Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
Trying rule: 18100 - Group of windows rules.
*Rule 18100 matched.
*Trying child rules.
Trying rule: 18101 - Windows informational event.
Trying rule: 18102 - Windows warning event.
Trying rule: 18104 - Windows audit success event.
*Rule 18104 matched.
*Trying child rules.
Trying rule: 18116 - User account locked out (multiple login errors).
Trying rule: 18118 - Windows audit log was cleared.
Trying rule: 18110 - User account enabled or created.
Trying rule: 18111 - User account changed.
Trying rule: 18112 - User account disabled or deleted.
Trying rule: 18113 - Windows Audit Policy changed.
Trying rule: 18115 - General account database changed.
Trying rule: 18117 - Windows is shutting down.
Trying rule: 18114 - Group Account Changed
Trying rule: 18127 - Computer account added/changed/deleted.
Trying rule: 18140 - System time changed.
Trying rule: 18142 - User account unlocked.
Trying rule: 18200 - Group Account Created
Trying rule: 18201 - Group Account Deleted
Trying rule: 18107 - Windows Logon Success.
Trying rule: 18109 - Session reconnected/disconnected to winstation.
Trying rule: 18148 - Windows is starting up.
Trying rule: 18149 - Windows User Logoff.
Trying rule: 18181 - MS SQL Server Logon Success.
**Phase 3: Completed filtering (rules).
Rule id: '18104'
Level: '0'
Description: 'Windows audit success event.'
Isn't it supposed it run through the ms_firewall.rules.xml file and give
the output using
<rule id="53652" level="8">
<if_sid>18104</if_sid>
<id>^4956$</id>
<description>Windows Firewall changed the active profile</description>
<group>windows_firewall</group>
</rule>
Any idea on how to fix this? Rule hits when I copy it to msauth_rules.xml
file. Any help would be appreciated.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
