This is the line that is filling my mailbox with rule 8152 fired
(level 10) -> "Multiple Windows Logon Failures.":
Feb 9 08:10:13 windowsbox security[failure] 675 NT AUTHORITY\SYSTEM
Pre-authentication failed: User Name:wolf$ User ID: %
{S-1-5-21-4240589779-2681227299-139461318-2740} Service Name:krbtgt/
COMPANY.COM Pre-Authentication Type:0x0 Failure Code:0x19 Client
Address:192.168.4.123
Bassicaly, that line comes from an AD box, who is serving
authentication to a linux with samba file server. The errors are
kerberos related, but they unix guys cant touch that box to fix it.
I want to ignore this particular error.
Cheers!
On Feb 8, 2007, at 11:38 PM, Daniel Cid wrote:
Hi Nicolas,
If you can show us some samples of your logs/alerts, we can
probably help
you out...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/6/07, Nicolas Arias <[EMAIL PROTECTED]> wrote:
HI guys!
i have an AD server where some linux servers authenticate with samba.
The thing is that looks like theres some trouble in the linux server
library and its causing kerberos validation trobules in the AD
server,
so i get Rule: 18152 fired (level 10) -> "Multiple Windows Logon
Failures." all the time.
I dont want to modify the priority of that rule, but i do want to
make
it more flexible, so i dont get 300 alerts in 1 nigth.
Any ideas?
Cheers!
Nicolas Arias
Security Officer
+54 11 4109 1885
+54 9 11 5455 0055
[EMAIL PROTECTED]
