This is my first posting to this list having rolled OSSEC HIDS out to an estate of around 800 Windows based machines towards the end of last year as part of our PCI compliance strategy.
Everything is running very smoothly and I just have one niggle, rule 18152. I have made a few other simple rule changes successfully, but so far I have been unable to work out a solution for this one myself and I feel like I could do with a bit of help. For various quite legitimate reasons none of the 800 aforementioned Windows machines are part of a domain, however another part of our security system does sit on our domain and is creating invalid login attempt events from the domain administrator account every time it accesses one of the machines in our OSSEC estate. Rule 18152 is fired and presents the following information, which I have edited for the sakes of privacy. “CLIENT001” was the original Windows machine name of the PC where the OSSEC agent is installed, “DOMAIN-NAME” is the name of the Windows domain where the Windows server in question resides and “SERVER-NAME” is the name of the Windows 2008 Server machine which is producing the logon failures :- WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: CLIENT001 : Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: DOMAIN-NAME Logon Type: 3 Logon Process: NtLmSsp Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: SERVER-NAME Of course I want to retain logon failure events, however I know about these failed logon attempts from SERVER-NAME and as the server in questions make a connection every 30 minutes… well, lets just say that the events are going to mount up a bit from an estate of 800 OSSEC installations (48 x 800 = 38400 event notifications per day). At the moment the Windows 2008 Server is only configured to connect to a small number of client machines and I can’t really continue with the roll out of that part of our security system until this issue is resolved. I’m thinking that there must be a way to overwrite rule 18152 with a version in local_rules which will ignore any alerts mentioning “SERVER-NAME” in the event, but I have been unable to figure out a way to do this. Any help that anybody can offer to help me solve this would be greatly appreciated, Regards and thank you for reading, Chris
