Hi,
If anyone has created custom rules for windows events, I would really
appreciate some pointers and examples. I have read the FAQs, bought
and read the book, and googled as much as I could, but I'm stuck. I
have also looked at the msauth rules but most all of them are simply
matching an id. A couple contain match or regex or user strings. Is
match, regex and user the only options I have besides matching the id?
Examples:
<regex> ID:\s+\p*S-1-5-32-544\p*</regex>
<match>Target Account Name: None</match>
<user>^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON</user>
I would like to create a rule which will alert on a failed or successful
terminal services connection which has event id
540 or 4624 with logon type 10.
My first question is how do you pull\format a windows event from the
event viewer so that ossec-logtest will decode and test it.
Below is the rule I made. I used the existing widows decoder. If there
is a better more preferred way to do this, please share. ( I also
tried using <Logon Type>10</Logon Type>) My rule is accepted by OSSEC
but it does not alert on a terminal services connection.
# vi local_rules.xml
<group name="custom-windows-event-alert">
<rule id="700005" level="0">
<decoded_as>windows</decoded_as>
<description>custom-windows-event-alert</description>
</rule>
<!-- Alert if terminal session attempted -->
<rule id="700006" level="12">
<if_sid>700005</if_sid>
<id>^540|^4624</id>
<match>Logon Type: 10</match>
</rule>
</group>
Thanks for the help and have a Happy Holiday.
Russ
