Hi Noel, I don't know exactly what this eventr means, but if you want to ignore those on OSSEC, try this rule:
<rule id="100356" level="0"> <if_sid>18105</if_sid> <id>560</id> <match>\Device\NetbiosSmb</match> <description>Ignoring event</description> </rule> In the <match> field you can ignore more parts of the event too. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Oct 6, 2009 at 9:51 AM, Noel Mulryan <noelmulr...@gmail.com> wrote: > Hi, > > I have installed OSSEC as part of PCI DSS requirements and I must say it is > an excellent piece of software. > > OSSEC is running on a Debian box which is only running OSSEC. The rest of > the environment is a windows only environment. > > Full auditing is enabled on all machines. > > I keep getting the following log entry coming from all the windows boxes > regarding \Device\NetbiosSmb and Audit Failure. > > 2009 Oct 06 13:31:23 Rule Id: 18105 level: 4 > Location: (MiaFTP) 10.30.10.203->WinEvtLog > Windows audit failure event. WinEvtLog: Security: AUDIT_FAILURE(560): > Security: LOCAL SERVICE: NT AUTHORITY: MIAFTP: Object Open: Object Server: > Security Object Type: File Object Name: \Device\NetbiosSmb Handle ID: - > Operation ID: {0,1423794941} Process ID: 780 Image File Name: > C:\WINDOWS\system32\svchost.exe Primary User Name: LOCAL SERVICE Primary > Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E5) Client User Name: - > Client Domain: - Client Logon ID: - Accesses: %%1541 %%4416 %%4417 > Privileges: - Restricted Sid Count: 0 Access Mask: 0x100003 > > The following settings in Group Policy have been set for all servers: > > Turn off the security option "Audit the access of global system objects" > > Turn off the security option "Audit the use of the backup and restore > privilege". > > Indexing service disabled and auditing turned off for it. > > Does anyone know how to either ignore this event or stop it from being > generated? > > Also does anyone have extra windows rules that I could apply (all windows > server 2003 used)? > > Thanks, > > Noel > >