Running it through ossec-logtest you get:
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Security: AUDIT_FAILURE(560): Security:
NETWORK SERVICE: NT AUTHORITY: XX-XXX-XX: Object Open:
Object Server: Security Object Type: File
Object Name: \Device\00000079 Handle ID: -
Operation ID: {0,1xxx} Process ID: 6660
Image File Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
Primary User Name: NETWORK SERVICE Primary
Domain: NT AUTHORITY Primary Logon ID: (0x0,0xxxx)
Client User Name: NETWORK SERVICE Client
Domain: NT AUTHORITY Client Logon ID: (0x0,0x3E4)
Accesses: %%1538 %%1541
%%4416
%%4419
%%4423
Privileges: - Restricted Sid Count: 0 Access Mask:
0x120089'
hostname: 'ix'
program_name: '(null)'
log: 'WinEvtLog: Security: AUDIT_FAILURE(560): Security:
NETWORK SERVICE: NT AUTHORITY: XX-XXX-XX: Object Open:
Object Server: Security Object Type: File
Object Name: \Device\00000079 Handle ID: -
Operation ID: {0,1xxx} Process ID: 6660
Image File Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
Primary User Name: NETWORK SERVICE Primary
Domain: NT AUTHORITY Primary Logon ID: (0x0,0xxxx)
Client User Name: NETWORK SERVICE Client
Domain: NT AUTHORITY Client Logon ID: (0x0,0x3E4)
Accesses: %%1538 %%1541
%%4416
%%4419
%%4423
Privileges: - Restricted Sid Count: 0 Access Mask:
0x120089'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '560'
extra_data: 'Security'
dstuser: 'NETWORK SERVICE'
system_name: 'XX-XXX-XX'
**Phase 3: Completed filtering (rules).
Rule id: '18105'
Level: '4'
Description: 'Windows audit failure event.'
**Alert to be generated.
Write a rule to ignore those events, and maybe the 18153's won't fire.
On Fri, Dec 3, 2010 at 4:03 AM, Simon Slaytor
<[email protected]> wrote:
> Thanks Charles,
>
>
>
> I’ve added the following to my central server local_rules.xml file, directly
> following the SSH from 1.1.1.1 example, and restarted OSSEC @ approx 14:11
> today (2010/12/02 14:11:34 ossec-monitord(1225): INFO: SIGNAL Received. Exit
> Cleaning...).
>
>
>
> <rule id="100002" level="0">
>
> <if_sid>18153</if_sid>
>
> <match>wmiprvse.exe</match>
>
> <description>Ignore Events</description>
>
> </rule>
>
>
>
> I’ve just had through the following alert from the OSSEC server:
>
>
>
> OSSEC HIDS Notification.
>
> 2010 Dec 02 16:06:39
>
>
>
> Received From: (XX-XXX-XX) XX.XX.XX.100->WinEvtLog
>
> Rule: 18153 fired (level 10) -> "Multiple Windows audit failure events."
>
> Portion of the log(s):
>
>
>
> WinEvtLog: Security: AUDIT_FAILURE(560): Security: NETWORK SERVICE: NT
> AUTHORITY: XX-XXX-XX: Object Open: Object Server:
> Security Object Type: File Object Name:
> \Device\00000079 Handle ID: - Operation ID:
> {0,1xxx} Process ID: 6660 Image File Name:
> C:\WINDOWS\system32\wbem\wmiprvse.exe Primary User Name:
> NETWORK SERVICE Primary Domain: NT AUTHORITY Primary
> Logon ID: (0x0,0xxxx) Client User Name: NETWORK
> SERVICE Client Domain: NT AUTHORITY Client Logon
> ID: (0x0,0x3E4) Accesses: %%1538
> %%1541
> %%4416
> %%4419
> %%4423
> Privileges:
> - Restricted Sid Count: 0 Access Mask: 0x120089
>
>
>
> So adding this to the server file doesn’t appear to be working either. L
>
>
>
>
>
>
>
> From: [email protected] [mailto:[email protected]] On
> Behalf Of Charles Profitt
> Sent: 02 December 2010 13:36
> To: [email protected]; [email protected]
> Subject: [ossec-list] RE: Windows Agent and local_rules.xml
>
>
>
> I have always added my rules on the ossec server.
>
>
>
>
>
> Charles Profitt, Sr. Network Technician, Pittsford Central Schools
> BrainBench Certified - (Master)Microsoft Security | (Master)Storage Area
> Networks Concepts | (Master)Microsoft Vista Desktop Administration |
> (Master)Macintosh OS X 10.4 Desktop Administration
> ----------------------------------------------------------------------
> νόησις νοήσεως - nóesis noéseos
>
>
>
> ________________________________
>
> From: [email protected] [[email protected]] On Behalf Of
> Simon Slaytor [[email protected]]
> Sent: Thursday, December 02, 2010 8:20 AM
> To: [email protected]
> Subject: [ossec-list] Windows Agent and local_rules.xml
>
> Hi Folks,
>
>
>
> First message to the list, apologies if this has been covered before but my
> Google fu is obviously weak as I cannot find the answer.
>
>
>
> I have a central OSSEC server currently v2.4.1 on Ubuntu and a number of
> remote agents, all 2.4.1 and everything is working well.
>
>
>
> I now want to suppress some rogue alerts generated by a couple of ‘Windows
> 2003 Servers/Agents’.
>
>
>
> After Googling I understand that I need to:
>
>
>
> Modify the ‘local agent’ copy of the local_rules.xml file adding a new
> customer rule as follows:
>
>
>
> <group name="local">
>
>
>
> <rule id="100101" level="0">
>
> <if_sid>18153</if_sid>
>
> <match>wmiprvse.exe</match>
>
> <description>Events ignored</description>
>
> </rule>
>
>
>
> </group>
>
>
>
> Ok so my first problem, there is no ‘Local_rules.xml’ file on the Windows
> agent, undeterred I have created one and placed in the root of the
> ossec-agent folder, is this the correct thing to do?
>
>
>
> I have then added the following to the ossec.conf configuration file on the
> agent, just before, i.e. within the ‘default’ </ossec_config> and restarted
> the agent.
>
>
>
> <rules>
>
> <include>local_rules.xml</include>
>
> </rules>
>
>
>
> The agent runs ok, but I see no entry relating to local_rules.xml in the log
> file and the alerts are still being generated.
>
>
>
> Any pointers as to what I’m doing wrong would be greatly appreciated.
>
>
>
> Simon
>
>
>
>
>
>
>
> ________________________________
>
> This email message and any attachments may contain confidential information.
> If you are not the intended recipient, you are prohibited from using the
> information in any way, including but not limited to disclosure of, copying,
> forwarding or acting in reliance on the contents. If you have received this
> email by error, please immediately notify me by return email and delete it
> from your email system. Thank you.
