What happens if you change <match> using <srcip>192.168.1.255</srcip>?
Den måndag 3 juli 2017 kl. 14:29:48 UTC+2 skrev Ian Brown: > > I've got this event log in windows: > > 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The > Windows Filtering Platform blocked a packet. Application Information: > Process ID: 0 Application Name: - Network Information: Direction: %%14592 > Source Address: 192.168.1.120 Source Port: 39740 Destination Address: > 192.168.1.255 Destination Port: 32414 Protocol: 17 Filter Information: > Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13 > > I'd like to ignore entries that contain the broadcast address > 192.168.1.255. > > If I fire up "ossec-logtest -v" and feed that log line into the app, I see > that it matches against the sid 18105: > > Trying rule: 18105 - Windows audit failure event. >> *Rule 18105 matched. >> *Trying child rules. >> Trying rule: 18120 - Windows login attempt (ignored). Duplicated. >> Trying rule: 18153 - Multiple Windows audit failure events. >> Trying rule: 18106 - Windows Logon Failure. >> Trying rule: 18139 - Windows DC Logon Failure. >> Trying rule: 18180 - MS SQL Server Logon Failure. >> Trying rule: 18108 - Failed attempt to perform a privileged operation. >> **Phase 3: Completed filtering (rules). >> Rule id: '18105' >> Level: '4' >> Description: 'Windows audit failure event.' >> **Alert to be generated. > > > So I've added this rule to my local_rules.xml file: > > <rule id="100004" level="0"> >> <if_sid>18105</if_sid> >> <match>192.168.1.255</match> >> <description> Ignore firewall dropped packets for broadcast >> address</description> >> </rule> > > > However, after restarting the ossec-hids-server and re-run "ossec-logtest > -v", I see that it tries my rule but somehow doesn't match -- what have I > done wrong? > > Trying rule: 18105 - Windows audit failure event. >> *Rule 18105 matched. >> *Trying child rules. >> Trying rule: 18120 - Windows login attempt (ignored). Duplicated. >> Trying rule: 100004 - Ignore firewall dropped packets for broadcast >> address >> Trying rule: 18153 - Multiple Windows audit failure events. >> Trying rule: 18106 - Windows Logon Failure. >> Trying rule: 18139 - Windows DC Logon Failure. >> Trying rule: 18180 - MS SQL Server Logon Failure. >> Trying rule: 18108 - Failed attempt to perform a privileged operation. >> **Phase 3: Completed filtering (rules). >> Rule id: '18105' >> Level: '4' >> Description: 'Windows audit failure event.' >> **Alert to be generated. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
