Hi list,
I have seen receiving level 10 alerts. It appears that 18139 is
triggering 18152 though I'm not sure how to verify that. Can someone
clarify the following compound rule near line 269 and 394 in
"msauth_rules.xml" or help me understand what is really going on?
Here are the lines that I think are relevant. (ossec1.6.1 installed on
the server):
269 <rule id="18139" level="5">
270 <if_sid>18105</if_sid>
271 <id>^672|^673|^675|^676|^681|^4769</id>
272 <description>Windows DC Logon Failure.</description>
273 <group>win_authentication_failed,</group>
274 </rule>
275
...
394 <rule id="18152" level="10" frequency="$MS_FREQ"
timeframe="240">
395 <if_matched_group>win_authentication_failed</
if_matched_group>
396 <description>Multiple Windows Logon Failures.</
description>
397 <group>authentication_failures,</group>
398 </rule>
Can someone help me out? I see event id 672 and 673. Why are they in
the win_authentication_failed group (in rule id 18139)? Aren't they
success events?
