This looks an oversight that is a potential problem on a lot of the
rules in msauth_rules.xml. The event log ID's can be 5 digits (they
go up to 65535) and so any id in the rule set that's less than 5
digits should have both the ^ and the $, as you indicate. There might
not be a 52901 yet but
Of joshua.gruber
Sent: Friday, April 01, 2011 6:14 AM
To: ossec-list
Subject: [ossec-list] ossec-logtest is performing differently from running
ossec
Okay, per microsoft, when XP and 2008 co-mingle the handshake always
starts with an AUDIT_FAILURE(4769) event, Failure Code 0xe. The old
I concur with Jeremy, you probably want to look to something like
Snort as well for IDS needs.
As to Audit events... I would suggest looking at the events one at a
time to address them. They likely are telling you about real issues
that you want to correct rather than simply squelching. For
Have you tried testing traffic on a test port to make certain traffic
is getting there and coming from the direction you expect? For
instance:
on the good server:
tcpdump -n 'port 55512'
on the bad agent machine:
echo hello? | netcat goodserverip 55512
See if the traffic gets to the good
Okay, per microsoft, when XP and 2008 co-mingle the handshake always
starts with an AUDIT_FAILURE(4769) event, Failure Code 0xe. The old
systems just don't speak the new Kerberos language. This is filling
up my IDS logs as OSSEC doesn't like the big bold FAILURE there. So I
put in some version
