[ossec-list] msauth-rules.xml

Fri, 24 Oct 2008 11:40:32 -0700 

In the most current msauth-rules.xml, eventid 680 is disabled, stating
that it is a duplicate.  Unfortunately that is not the case.  A failed
680 event is how a Windows 2003 Server AD controller denotes a failed
NTLM login.  A failed 672 is how it denotes failed Kerberos
connections.

These attempts will be most notable when a non-windows device attempts
authentication using NTLM.

As such, the default ruleset was missing many authentication failures
in my environment.  I wrote the following local-rules.xml to cover
this gap.  I also had to comment out rule 18121.

<group name="local,">
  <rule id="100000" level="0">
        <description>User created rules</description>
  </rule>

  <rule id="100006" level="5">
        <if_sid>18105</if_sid>
        <id>^680</id>
        <description>Windows NTLM Logon Failure.</description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100007" level="7">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC0000064</match>
        <description>Windows NTLM Logon Failure - Bad Username</
description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100008" level="5">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC000006A</match>
        <description>Windows NTLM Logon Failure - Bad Password</
description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100009" level="7">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC0000234</match>
        <description>Windows NTLM Logon Failure - Account Locked Out</
description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100010" level="7">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC0000072</match>
        <description>Windows NTLM Logon Failure - Account Disabled</
description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100011" level="5">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC000006F</match>
        <description>Windows NTLM Logon Failure - Account Time
Restriction</description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100012" level="5">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC0000070</match>
        <description>Windows NTLM Logon Failure - Account Workstation
Restriction</description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100013" level="5">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC0000193</match>
        <description>Windows NTLM Logon Failure - Account Expired</
description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100014" level="5">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC0000074</match>
        <description>Windows NTLM Logon Failure - Password Expired</
description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100015" level="5">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC0000224</match>
        <description>Windows NTLM Logon Failure - User Required To
Change Password</description>
        <group>win_authentication_failed,</group>
  </rule>

</group>

Reply via email to