Thank you Daniel, That is exactly what I am looking for.
Regards, Noel Daniel Cid wrote: > Hi Noel, > > I don't know exactly what this eventr means, but if you want to ignore > those on OSSEC, try > this rule: > > <rule id="100356" level="0"> > <if_sid>18105</if_sid> > <id>560</id> > <match>\Device\NetbiosSmb</match> > <description>Ignoring event</description> > </rule> > > In the <match> field you can ignore more parts of the event too. > > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > On Tue, Oct 6, 2009 at 9:51 AM, Noel Mulryan <[email protected]> wrote: > >> Hi, >> >> I have installed OSSEC as part of PCI DSS requirements and I must say it is >> an excellent piece of software. >> >> OSSEC is running on a Debian box which is only running OSSEC. The rest of >> the environment is a windows only environment. >> >> Full auditing is enabled on all machines. >> >> I keep getting the following log entry coming from all the windows boxes >> regarding \Device\NetbiosSmb and Audit Failure. >> >> 2009 Oct 06 13:31:23 Rule Id: 18105 level: 4 >> Location: (MiaFTP) 10.30.10.203->WinEvtLog >> Windows audit failure event. WinEvtLog: Security: AUDIT_FAILURE(560): >> Security: LOCAL SERVICE: NT AUTHORITY: MIAFTP: Object Open: Object Server: >> Security Object Type: File Object Name: \Device\NetbiosSmb Handle ID: - >> Operation ID: {0,1423794941} Process ID: 780 Image File Name: >> C:\WINDOWS\system32\svchost.exe Primary User Name: LOCAL SERVICE Primary >> Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E5) Client User Name: - >> Client Domain: - Client Logon ID: - Accesses: %%1541 %%4416 %%4417 >> Privileges: - Restricted Sid Count: 0 Access Mask: 0x100003 >> >> The following settings in Group Policy have been set for all servers: >> >> Turn off the security option "Audit the access of global system objects" >> >> Turn off the security option "Audit the use of the backup and restore >> privilege". >> >> Indexing service disabled and auditing turned off for it. >> >> Does anyone know how to either ignore this event or stop it from being >> generated? >> >> Also does anyone have extra windows rules that I could apply (all windows >> server 2003 used)? >> >> Thanks, >> >> Noel >> >> >>
