On Tue, Mar 14, 2017 at 1:51 PM, BeesZA <stefan.hodg...@gmail.com> wrote: > Hi All, > > I am very new to OSSEC and I need some help with a simple issue. I need an > example rule for the following: > > I have a user that have a granular password policy applied to him, this > policy says that this account cannot be locked out like all the other domain > accounts. But because he is then vulnerable to password guessing I need to > know when an authentication attempt fails. > > I cannot deploy OSSEC agent to all domain users machines so I restricted > where this user can login, which I have done via ADUC, in the user's profile > I configured the "Log onto" setting and it now contains only the computers > he is allowed to log onto. > > So on those computers, I have the OSSEC agent running and when there are > multiple invalid authentication attempts on them with that specific user of > any sort I need to know about it. > > > I configured email alerts and set the global option to go nowhere because I > don't want all the "noise", then I want to specify only the alerts I want > one by one under <email alerts>. I got it from here > https://www.ryanschulze.net/archives/1666. > > So it's under <email alerts> that I want to specify that I want to specify > the custom rule that will fire when this special user has a failed logon. > > Please help me with building this rule > > <ossec_config> > <global> > <email_notification>yes</email_notification> > <smtp_server>127.0.0.1</smtp_server> > <email_to>dev-null@email.domain</email_to> > <email_from>ossec@ossec.server</email_from> > </global> > > <email_alerts> > <email_to>ossec-admins@email.domain</email_to> > <level>7</level> > </email_alerts> > </ossec_config> >
Sounds like fun. First, turn on the logall option in the <global> section of the server's ossec.conf. <global> ... <logall>yes</logall> </global> Then restart the OSSEC processes on the server. This will log all log messages the server receives to /var/ossec/logs/archives/archives.log. Next, login as that user (or any user will probably do), and find the log message in archives.log. You can use that log message for further development of your rule using ossec-logtest. I usually put a log message that I'll be testing a lot into a textfile on the server, and then pipe it to ossec-logtets: `cat /tmp/logmessage | /var/ossec/bin/ossec-logtest` The output of that gives you a lot of what you'll need to build the rule. My guess would be that it will look something like this (but this is totally untested by a unix guy): <rule id="400001" level="7"> <if_sid>18105</if_sid> <user>USERNAME</user> <description>USERNAME failed auth</description> </rule> <rule id="400002" level="10" frequency="2" timeout="120"> <if_matched_sid>400001</if_matched_sid> <description>Multiple failed logins for USERNAME</description> </rule> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
