On Fri, Dec 20, 2019 at 12:15 PM Bruce Westbrook <bwestbr...@gmail.com> wrote: > > I'm having an issue getting a composite rule to trigger. What's really > throwing me is that it works just fine when testing with ossec-logtest, but > it doesn't work live. > > Here are the two rules in question: > > <rule id="100554" level="6"> > <if_sid>18101</if_sid> > <id>^131$</id> > <description>Server accepted initial RDP session request</description> > <group>sysadmin,</group> > </rule> > > <rule id="100560" level="15" frequency="3" timeframe="180"> > <if_matched_sid>100554</if_matched_sid> > <description>ALERT: Potential RDP brute force attack</description> > <group>sysadmin,recon,attacks,</group> > </rule> >
This seems like a silly idea, but it's the only one I have at the moment: <rule id="100554" level="6"> <if_sid>18101</if_sid> <id>^131$</id> <description>Server accepted initial RDP session request</description> <group>sysadmin,</group> </rule> <rule id="100560" level="15" frequency="3" timeframe="180"> <if_matched_sid>18101</if_matched_sid> <id>^131$</id> <description>ALERT: Potential RDP brute force attack</description> <group>sysadmin,recon,attacks,</group> </rule> I'll try to look into it more when I find some time. > > ...and here is a sample log entry: > > 2019 Dec 20 11:28:59 WinEvtLog: > Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational: > INFORMATION(131): Microsoft-Windows-RemoteDesktopServices-RdpCoreTS: NETWORK > SERVICE: NT AUTHORITY: server.domain: The server accepted a new TCP > connection from client 10.104.248.199:57714. > > > Using ossec-logtest I can enter this log entry and on the fifth time it fires > off rule #100560 just as expected. But when I make those same five logon > attempts to a live server, it only ever fires rule #100554. I've tried this > up to 20 times in under 2 minutes, well within the rule timeframe, and it > still never fires the composite rule alert, only 100554. > > I have quite a few other composite rules that I've written over the past few > years and don't have this issue. I just don't see what the problem is with > this one or why ossec-logtest shows it working but it never actually works in > a live situation. > > I'm running OSSEC HIDS v2.9.3 on Linux, with the agents on Windows 2012+ > servers. > > Any thoughts? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/db6d29a9-ec7d-4577-9ce6-d7ed445d8862%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMpcZu9R1oN4bCM5ouX4aYG01piUbiHbgq_dYtF9hazgTg%40mail.gmail.com.