hi, Maybe you have Windows Server 2003 and 672 or 673 are for both success and failure events on w2k3?
see http://www.ultimatewindowssecurity.com/securitylog/event.aspx?eventID=672 http://www.windowsecurity.com/articles/Kerberos-Authentication-Events.html regards On Feb 23, 3:53 pm, b <[email protected]> wrote: > Hi list, > > I have seen receiving level 10 alerts. It appears that 18139 is > triggering 18152 though I'm not sure how to verify that. Can someone > clarify the following compound rule near line 269 and 394 in > "msauth_rules.xml" or help me understand what is really going on? > > Here are the lines that I think are relevant. (ossec1.6.1 installed on > the server): > > 269 <rule id="18139" level="5"> > 270 <if_sid>18105</if_sid> > 271 <id>^672|^673|^675|^676|^681|^4769</id> > 272 <description>Windows DC Logon Failure.</description> > 273 <group>win_authentication_failed,</group> > 274 </rule> > 275 > ... > 394 <rule id="18152" level="10" frequency="$MS_FREQ" > timeframe="240"> > 395 <if_matched_group>win_authentication_failed</ > if_matched_group> > 396 <description>Multiple Windows Logon Failures.</ > description> > 397 <group>authentication_failures,</group> > 398 </rule> > > Can someone help me out? I see event id 672 and 673. Why are they in > the win_authentication_failed group (in rule id 18139)? Aren't they > success events?
