I have two issues.
1. I cannot get rule 18107 in the msauth_rules.xml file to generate an
alert, unless I put it as a local rule. This prebuilt rule should work.
2. I am trying to monitor successful logins and when testing the rule
using the log below I can get it to produce an alert while in testing, but
it sometimes filters using rule 18107 or sometimes rule 18119. It is
random which rule shows up when testing. Neither ALERT shows up in
SQUIL, unless I build the local rule, then it works.
I listed the two test that show the different matched rules and the rules
in place, which are the predefined rules that come with ossec.
WinEvtLog: Security: AUDIT_SUCCESS(4624):
Microsoft-Windows-Security-Auditing: SYSTEM: NT AUTHORITY: BB-Desktop: An
account was successfully logged on. Subject: Security ID: S-1-5-18
Account Name: BB-DESKTOP$ Account Domain: AVENTIS Logon ID: 0x3e7
Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM
Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID:
{00000000-0000-0000-0000-000000000000} Process Information: Process ID:
0x38c Process Name: C:\Windows\System32\services.exe Network
Information: Workstation Name: - Source Network Address: - Source Port:
- Detailed Authentication Information: Logon Process: Advapi
Authentication Package: Negotiate Transited Services: - Package Name
(NTLM only): - Key Length: 0 This event is generated when a logon
session is created. It is generated on the computer that was accessed.
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '4624'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: 'SYSTEM'
system_name: 'BB-Desktop'
**Phase 3: Completed filtering (rules).
*Rule id: '18107'*
Level: '3'
Description: 'Windows Logon Success.'
**Alert to be generated.
*OR*
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '4624'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: 'SYSTEM'
system_name: 'BB-Desktop'
**Phase 3: Completed filtering (rules).
* Rule id: '18119'*
Level: '3'
Description: 'First time this user logged in this system.'
**Alert to be generated.
*Rules*
<rule id="18107" level="3">
<if_sid>18104</if_sid>
<id>^528$|^540$|^673$|^4624$|^4769$</id>
<description>Windows Logon Success.</description>
<group>authentication_success,</group>
</rule>
<rule id="18119" level="3">
<if_sid>18107</if_sid>
<options>alert_by_email</options>
<if_fts />
<description>First time this user logged in this system.</description>
<group>authentication_success,</group>
</rule>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
