Hi, I have installed OSSEC as part of PCI DSS requirements and I must say it is an excellent piece of software.
OSSEC is running on a Debian box which is only running OSSEC. The rest of the environment is a windows only environment. Full auditing is enabled on all machines. I keep getting the following log entry coming from all the windows boxes regarding \Device\NetbiosSmb and Audit Failure. 2009 Oct 06 13:31:23 Rule Id: 18105<http://www.ossec.net/wiki/index.php/Rule:18105>level: 4 Location: (MiaFTP) 10.30.10.203->WinEvtLog Windows audit failure event. WinEvtLog: Security: AUDIT_FAILURE(560): Security: LOCAL SERVICE: NT AUTHORITY: MIAFTP: Object Open: Object Server: Security Object Type: File Object Name: \Device\NetbiosSmb Handle ID: - Operation ID: {0,1423794941} Process ID: 780 Image File Name: C:\WINDOWS\system32\svchost.exe Primary User Name: LOCAL SERVICE Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E5) Client User Name: - Client Domain: - Client Logon ID: - Accesses: %%1541 %%4416 %%4417 Privileges: - Restricted Sid Count: 0 Access Mask: 0x100003 The following settings in Group Policy have been set for all servers: Turn off the security option "Audit the access of global system objects" Turn off the security option "Audit the use of the backup and restore privilege". Indexing service disabled and auditing turned off for it. Does anyone know how to either ignore this event or stop it from being generated? Also does anyone have extra windows rules that I could apply (all windows server 2003 used)? Thanks, Noel
