Hi Angel!
In first place, my apologies for the late response.
*"I'm wonder if rule with ID 17101(policy_rules) could also be triggered
for events derived from windows agents."*
*Yes,* to give you some context: The standard rules are located in
*/var/ossec/rules
*. And, if you want to modify them, you must to do the custom changes in
*/var/ossec/rules/local_rules.xml* . In second place, the policy rules are
disabled by default in */var/ossec/etc/ossec.conf* and therefore you should
enable it (if not, you don't have to overwrite the rule, you can only
create a new rule in local_rules.xml with any id). So, the steps would be:
1. Uncomment the line *<!-- <include>policy_rules.xml</include> --> *in
*/var/ossec/etc/ossec.conf* and save the changes
2. Copy the rule you want to modify from the rule file (
*/var/ossec/rules/policy_rules.xml)*
3. Paste it in */var/ossec/rules/local_rules.xml* like this (I changed
the description only for demonstration purposes):
<group name="policy_violation,*windows*,">
<rule id="17101" level="9" *overwrite="yes"*>
<if_group>authentication_success</if_group>
<time>7 pm - 7:00 am</time>
<description>*Description in order to verify the rule*</description>
<group>login_time,</group>
</rule>
</group>
4. Restart OSSEC (*/var/ossec/bin/ossec-control restart*)
Starting OSSEC HIDS v3.6.0...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
5. Finally, I test the rule with your example log and this is what I get:
**Phase 3: Completed filtering (rules).
Rule id: '17101'
Level: '9'
Description: 'Description in order to verify the rule'
**Alert to be generated.
*Plus*: OSSEC reads the logs in */var/log/messages* , so you can write your
example log within that file (with the machine time) and checking the file
where OSSEC logs the alerts (*/var/ossec/logs/alerts/alerts.log*) in order
to verify that the rule is working well.
1. Write your example log into the *messages *file:
*echo *
*"2021 Nov 15 22:53:50 WinEvtLog: Security: AUDIT_SUCCESS(4624):
Microsoft-Windows-Security-Auditing: WIN2016-1$: AD.*****.DOMAIN:
Win2016-1.AD.*****.domain: An account was successfully logged on. Subject:
Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID:
0x0 Logon Type: 3 New Logon: Security ID: S-1-5-18 Account Name:
WIN2016-1$ Account Domain: AD.*****.DOMAIN Logon ID: 0x7effdf27325
Logon GUID: {BB6F5B99-2E84-D711-F3ED-2D759EA2B180} Process Information:
Process ID: 0x0 Process Name: - Network Information: Workstation Name:
- Source Network Address: ::1 Source Port: 87*** Detailed
Authentication Information: Logon Process: Kerberos Authentication
Package: Kerberos Transited Services: - Package Name (NTLM only): - Key
Length: 0 This event is generated when a logon session is created. It is
generated on the computer that was accessed."* *>>* */var/log/messages*
2. Check the alerts file:
*# tail *
*/var/ossec/logs/alerts/alerts.log *** Alert 1637027681.747: mail -
policy_violation,windows,login_time,
2021 Nov 16 01:54:41 centos-manager2->/var/log/messages
Rule: 17101 (level 9) -> 'Description in order to verify the rule'
Src IP: ::1
User: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New
Logon: Security ID: S-1-5-18 Account Name: WIN2016-1$
2021 Nov 15 22:53:50 WinEvtLog: Security: AUDIT_SUCCESS(4624):
Microsoft-Windows-Security-Auditing: WIN2016-1$: AD.*****.DOMAIN:
Win2016-1.AD.*****.domain: An account was successfully logged on. Subject:
Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID:
0x0 Logon Type: 3 New Logon: Security ID: S-1-5-18 Account Name:
WIN2016-1$ Account Domain: AD.*****.DOMAIN Logon ID: 0x7effdf27325
Logon GUID: {BB6F5B99-2E84-D711-F3ED-2D759EA2B180} Process Information:
Process ID: 0x0 Process Name: - Network Information: Workstation Name:
- Source Network Address: ::1 Source Port: 87*** Detailed
Authentication Information: Logon Process: Kerberos Authentication
Package: Kerberos Transited Services: - Package Name (NTLM only): - Key
Length: 0 This event is generated when a logon session is created. It is
generated on the computer that was accessed.
** Alert 1637027686.1978: mail - ossec,rootcheck,
2021 Nov 16 01:54:46 centos-manager2->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
File '/etc/rc.d/init.d/ossec' is owned by root and has write permissions
to anyone.
Please, let me know if this help,
Regards,
Mauro Malara.
On Friday, October 22, 2021 at 7:46:01 AM UTC-3 Angelos Alevizopoulos wrote:
> Hi ossec community,
>
> I'm wonder if rule with ID 17101(policy_rules) could also be triggered for
> events derived from windows agents. I'm testing the following log with
> ossec-logtest but only the rule with ID 18107(ms_auth_rules) gets
> triggered:
>
> 2021 Oct 22 02:41:37 WinEvtLog: Security: AUDIT_SUCCESS(4624):
> Microsoft-Windows-Security-Auditing: WIN2016-1$: AD.*****.DOMAIN:
> Win2016-1.AD.*****.domain: An account was successfully logged on.
> Subject: Security ID: S-1-0-0 Account Name: - Account Domain: -
> Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-18
> Account Name: WIN2016-1$ Account Domain: AD.*****.DOMAIN Logon ID:
> 0x7effdf27325 Logon GUID: {BB6F5B99-2E84-D711-F3ED-2D759EA2B180} Process
> Information: Process ID: 0x0 Process Name: - Network Information:
> Workstation Name: - Source Network Address: ::1 Source Port: 87***
> Detailed Authentication Information: Logon Process: Kerberos
> Authentication Package: Kerberos Transited Services: - Package Name (NTLM
> only): - Key Length: 0 This event is generated when a logon session is
> created. It is generated on the computer that was accessed.
>
> *ossec-logtest*:
>
> **Phase 3: Completed filtering (rules).
> Rule id: '18107'
> Level: '3'
> Description: 'Windows Logon Success.'
> **Alert to be generated.
>
> I've tried to add a local rule adapted to the windows group, like below
> but with no results:
>
> <group name="local,windows,">
>
> <rule id="100020" level="9">
> <if_group>authentication_success</if_group>
> <time>7 pm - 7:00 am</time>
> <description>Successful login during non-business hours</description>
> <group>login_time,</group>
> <options>no_ar</options>
> </rule>
>
> </group>
>
> I would be grateful for any help
> Angel
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/5e992c01-2d9b-4d80-a6f5-c5a7472764d1n%40googlegroups.com.
