Looking for help on making an exception for a specific username that's
continually failing logons to a database. The DBAs are slammed and unable
to get to this for a few days. In the meantime, I'm getting slammed with
an excessive amount of email alerts (500+) from rule #18180 every day.
My goal is to:
1. Stop this one "USERNAME" on this one "SERVER" from triggering email
alerts
2. Still continue logging the alerts (just not emailing)
3. Still allow all other failed logons to count up and email alerts
As such, I can't just simply stop sending emails from rule #18180 since
that would stop alerts on all other activity, not just this one.
I cannot find a way to overwrite rule #18180 with a <match> exception, as
there doesn't appear to be a way to make exceptions for anything but source
and destination IP addresses. Nor can I find a way to remove a <group>
from a matched rule so I could <match> on the "USERNAME" and "SERVER" and
remove it from the "win_authentication_failed" group, thereby keeping
#18180 from seeing it.
Here are some details:
Rule #18180 is first triggered by failed logins and adds the group "
win_authentication_failed":
<rule id="18180" level="5">
<if_sid>18105</if_sid>
<id>^18456$</id>
<group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
<description>MS SQL Server Logon Failure.</description>
</rule>
Here's a sample (sanitized) actual alert from rule #18180:
** Alert 1510854237.1318112395: - windows,win_authentication_failed,
pci_dss_10.2.4,pci_dss_10.2.5,
2017 Nov 16 12:43:57 (SERVER) any->WinEvtLog
Rule: 18180 (level 5) -> 'MS SQL Server Logon Failure.'
User: (no user)
2017 Nov 16 12:43:56 WinEvtLog: Application: AUDIT_FAILURE(18456):
MSSQLSERVER: (no user): no domain: SERVER.DOMAIN.LOCAL: Login failed for
user 'USERNAME'. Reason: Failed to open the explicitly specified database
'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]
Once OSSEC sees six of these "win_authentication_failed" alerts within four
minutes, rule #18152 triggers:
<rule id="18152" level="10" frequency="6" timeframe="240">
<if_matched_group>win_authentication_failed</if_matched_group>
<description>Multiple Windows Logon Failures.</description>
<group>
authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,</group>
</rule>
Can anyone point me in the right direction on excluding this particular
alert (still logging though) from being seen by rule #18152, without
impacting that rule's ability to email alerts for all other activity?
- Bruce
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
