Okay, I finally figured out problem 1. Seems OSSEC only reports on level 5 or higher, that was fixed. Still stuck on issue 2 as to the conflicting filtering rules.
On Thursday, July 20, 2017 at 1:53:04 PM UTC-5, Bob Boklewski wrote: > I have two issues. > > 1. I cannot get rule 18107 in the msauth_rules.xml file to generate an > alert, unless I put it as a local rule. This prebuilt rule should work. > 2. I am trying to monitor successful logins and when testing the rule > using the log below I can get it to produce an alert while in testing, but > it sometimes filters using rule 18107 or sometimes rule 18119. It is > random which rule shows up when testing. Neither ALERT shows up in > SQUIL, unless I build the local rule, then it works. > > I listed the two test that show the different matched rules and the rules > in place, which are the predefined rules that come with ossec. > > > WinEvtLog: Security: AUDIT_SUCCESS(4624): > Microsoft-Windows-Security-Auditing: SYSTEM: NT AUTHORITY: BB-Desktop: An > account was successfully logged on. Subject: Security ID: S-1-5-18 > Account Name: BB-DESKTOP$ Account Domain: AVENTIS Logon ID: 0x3e7 > Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM > Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: > {00000000-0000-0000-0000-000000000000} Process Information: Process ID: > 0x38c Process Name: C:\Windows\System32\services.exe Network > Information: Workstation Name: - Source Network Address: - Source Port: > - Detailed Authentication Information: Logon Process: Advapi > Authentication Package: Negotiate Transited Services: - Package Name > (NTLM only): - Key Length: 0 This event is generated when a logon > session is created. It is generated on the computer that was accessed. > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_SUCCESS' > id: '4624' > extra_data: 'Microsoft-Windows-Security-Auditing' > dstuser: 'SYSTEM' > system_name: 'BB-Desktop' > **Phase 3: Completed filtering (rules). > *Rule id: '18107'* > Level: '3' > Description: 'Windows Logon Success.' > **Alert to be generated. > > *OR* > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_SUCCESS' > id: '4624' > extra_data: 'Microsoft-Windows-Security-Auditing' > dstuser: 'SYSTEM' > system_name: 'BB-Desktop' > **Phase 3: Completed filtering (rules). > * Rule id: '18119'* > Level: '3' > Description: 'First time this user logged in this system.' > **Alert to be generated. > > *Rules* > <rule id="18107" level="3"> > <if_sid>18104</if_sid> > <id>^528$|^540$|^673$|^4624$|^4769$</id> > <description>Windows Logon Success.</description> > <group>authentication_success,</group> > </rule> > > <rule id="18119" level="3"> > <if_sid>18107</if_sid> > <options>alert_by_email</options> > <if_fts /> > <description>First time this user logged in this system.</description> > <group>authentication_success,</group> > </rule> > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.