[ossec-list] Re: Strange rule issue
Okay, I finally figured out problem 1. Seems OSSEC only reports on level 5 or higher, that was fixed. Still stuck on issue 2 as to the conflicting filtering rules. On Thursday, July 20, 2017 at 1:53:04 PM UTC-5, Bob Boklewski wrote: > I have two issues. > > 1. I cannot get rule 18107 in the msauth_rules.xml file to generate an > alert, unless I put it as a local rule. This prebuilt rule should work. > 2. I am trying to monitor successful logins and when testing the rule > using the log below I can get it to produce an alert while in testing, but > it sometimes filters using rule 18107 or sometimes rule 18119. It is > random which rule shows up when testing. Neither ALERT shows up in > SQUIL, unless I build the local rule, then it works. > > I listed the two test that show the different matched rules and the rules > in place, which are the predefined rules that come with ossec. > > > WinEvtLog: Security: AUDIT_SUCCESS(4624): > Microsoft-Windows-Security-Auditing: SYSTEM: NT AUTHORITY: BB-Desktop: An > account was successfully logged on. Subject: Security ID: S-1-5-18 > Account Name: BB-DESKTOP$ Account Domain: AVENTIS Logon ID: 0x3e7 > Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM > Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: > {----} Process Information: Process ID: > 0x38c Process Name: C:\Windows\System32\services.exe Network > Information: Workstation Name: - Source Network Address: - Source Port: > - Detailed Authentication Information: Logon Process: Advapi > Authentication Package: Negotiate Transited Services: - Package Name > (NTLM only): - Key Length: 0 This event is generated when a logon > session is created. It is generated on the computer that was accessed. > > **Phase 2: Completed decoding. >decoder: 'windows' >status: 'AUDIT_SUCCESS' >id: '4624' >extra_data: 'Microsoft-Windows-Security-Auditing' >dstuser: 'SYSTEM' >system_name: 'BB-Desktop' > **Phase 3: Completed filtering (rules). >*Rule id: '18107'* >Level: '3' >Description: 'Windows Logon Success.' > **Alert to be generated. > > *OR* > > **Phase 2: Completed decoding. >decoder: 'windows' >status: 'AUDIT_SUCCESS' >id: '4624' >extra_data: 'Microsoft-Windows-Security-Auditing' >dstuser: 'SYSTEM' >system_name: 'BB-Desktop' > **Phase 3: Completed filtering (rules). > * Rule id: '18119'* >Level: '3' >Description: 'First time this user logged in this system.' > **Alert to be generated. > > *Rules* > > 18104 > ^528$|^540$|^673$|^4624$|^4769$ > Windows Logon Success. > authentication_success, > > > > 18107 > alert_by_email > > First time this user logged in this system. > authentication_success, > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Strange rule issue
Okay, I finally figured out problem 1. Seems SGUIL only reports on level 5 or higher, that was fixed. Still stuck on issue 2 as to the conflicting filtering rules. On Thursday, July 20, 2017 at 1:53:04 PM UTC-5, Bob Boklewski wrote: > I have two issues. > > 1. I cannot get rule 18107 in the msauth_rules.xml file to generate an > alert, unless I put it as a local rule. This prebuilt rule should work. > 2. I am trying to monitor successful logins and when testing the rule > using the log below I can get it to produce an alert while in testing, but > it sometimes filters using rule 18107 or sometimes rule 18119. It is > random which rule shows up when testing. Neither ALERT shows up in > SQUIL, unless I build the local rule, then it works. > > I listed the two test that show the different matched rules and the rules > in place, which are the predefined rules that come with ossec. > > > WinEvtLog: Security: AUDIT_SUCCESS(4624): > Microsoft-Windows-Security-Auditing: SYSTEM: NT AUTHORITY: BB-Desktop: An > account was successfully logged on. Subject: Security ID: S-1-5-18 > Account Name: BB-DESKTOP$ Account Domain: AVENTIS Logon ID: 0x3e7 > Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM > Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: > {----} Process Information: Process ID: > 0x38c Process Name: C:\Windows\System32\services.exe Network > Information: Workstation Name: - Source Network Address: - Source Port: > - Detailed Authentication Information: Logon Process: Advapi > Authentication Package: Negotiate Transited Services: - Package Name > (NTLM only): - Key Length: 0 This event is generated when a logon > session is created. It is generated on the computer that was accessed. > > **Phase 2: Completed decoding. >decoder: 'windows' >status: 'AUDIT_SUCCESS' >id: '4624' >extra_data: 'Microsoft-Windows-Security-Auditing' >dstuser: 'SYSTEM' >system_name: 'BB-Desktop' > **Phase 3: Completed filtering (rules). >*Rule id: '18107'* >Level: '3' >Description: 'Windows Logon Success.' > **Alert to be generated. > > *OR* > > **Phase 2: Completed decoding. >decoder: 'windows' >status: 'AUDIT_SUCCESS' >id: '4624' >extra_data: 'Microsoft-Windows-Security-Auditing' >dstuser: 'SYSTEM' >system_name: 'BB-Desktop' > **Phase 3: Completed filtering (rules). > * Rule id: '18119'* >Level: '3' >Description: 'First time this user logged in this system.' > **Alert to be generated. > > *Rules* > > 18104 > ^528$|^540$|^673$|^4624$|^4769$ > Windows Logon Success. > authentication_success, > > > > 18107 > alert_by_email > > First time this user logged in this system. > authentication_success, > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.