Unfortunately that didn't work Maarten. After following that logic I am
still getting all the email alerts for that account again. And yes, I
restarted the OSSEC daemons after adding the rules :-)
However, when I run the log entry against ossec-logtest, it appears to do
what I want by matching my overwritten #18180 rule -- yet in reality it
still sends an email due to it matching the #18152 composite rule (I'm not
sure how to use ossec-logtest to test a composite rule with multiple log
entries).
Here are the rules I added:
<!-- Rewrite rule #18180 to narrow down to bad SQL account and not add
the 'win_authentication_failed' group -->
<rule id="18180" level="5" overwrite="yes">
<if_sid>18105</if_sid>
<id>^18456$</id>
<match>Login failed for user 'USERNAME'</match>
<group>pci_dss_10.2.4,pci_dss_10.2.5,</group>
<description>MS SQL Server Logon Failure for 'dpa' only</description>
</rule>
<!-- Add new rule to take the place of rule #18180 after matching our bad
SQL account -->
<rule id="100150" level="5">
<if_sid>18105</if_sid>
<id>^18456$</id>
<group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
<description>MS SQL Server Logon Failure for 'dpa' only</description>
</rule>
Here's the output from ossec-logtest:
2017/11/21 10:31:13 ossec-testrule: INFO: Reading local decoder file.
2017/11/21 10:31:13 ossec-testrule: INFO: Started (pid: 27437).
ossec-testrule: Type one log per line.
2017 Nov 16 12:43:56 WinEvtLog: Application: AUDIT_FAILURE(18456):
MSSQLSERVER: (no user): no domain: SERVER: Login failed for user 'USERNAME'.
Reason: Failed to open the explicitly specified database 'DATABASE'. [CLIENT
: nnn.nnn.nnn.nnn]
**Phase 1: Completed pre-decoding.
full event: '2017 Nov 16 12:43:56 WinEvtLog: Application:
AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER: Login
failed for user 'USERNAME'. Reason: Failed to open the explicitly specified
database 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]'
hostname: 'SERVER'
program_name: '(null)'
log: '2017 Nov 16 12:43:56 WinEvtLog: Application:
AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER: Login
failed for user 'USERNAME'. Reason: Failed to open the explicitly specified
database 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '18456'
extra_data: 'MSSQLSERVER'
dstuser: '(no user)'
system_name: 'SERVER'
**Phase 3: Completed filtering (rules).
Rule id: '18180'
Level: '5'
Description: 'TEMP NOISE REDUCTION: MS SQL Server Logon Failure for '
USERNAME''
**Alert to be generated.
What am I still missing? Any ideas?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
