Re: [ossec-list] Re: Preventing rule 18152 from firing if failed login attempt is from a certain server

[loyd. darby]

please have a look at this: http://www.ossec.net/wiki/Know_How:Multiple_Failures_WindowsAD On 01/06/2011 09:19 AM, Chris Tweed wrote: I believe I have now managed to solve my rule 18152 issue with the following rule. I was getting events generated every 30 mins and I've now not had any for the last 3 hours.   I just thought I should post what I'd done in case it helps anybody else in future, or of course in case anybody spots a fatal flaw in what I've done :^)   <rule id="100001" level="0">   <if_level>10</if_level>   <hostname>SERVER-NAME</hostname>   <if_sid>18152</if_sid>   <description>Ignoring SERVER-NAME</description> </rule>   On 5 January 2011 09:37, Chris Tweed <christwee...@gmail.com> wrote: This is my first posting to this list having rolled OSSEC HIDS out to an estate of around 800 Windows based machines towards the end of last year as part of our PCI compliance strategy. Everything is running very smoothly and I just have one niggle, rule 18152. I have made a few other simple rule changes successfully, but so far I have been unable to work out a solution for this one myself and I feel like I could do with a bit of help. For various quite legitimate reasons none of the 800 aforementioned Windows machines are part of a domain, however another part of our security system does sit on our domain and is creating invalid login attempt events from the domain administrator account every time it accesses one of the machines in our OSSEC estate. Rule 18152 is fired and presents the following information, which I have edited for the sakes of privacy. “CLIENT001” was the original Windows machine name of the PC where the OSSEC agent is installed, “DOMAIN-NAME” is the name of the Windows domain where the Windows server in question resides and “SERVER-NAME” is the name of the Windows 2008 Server machine which is producing the logon failures :- WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: CLIENT001 : Logon Failure:     Reason:  Unknown user name or bad password     User Name: Administrator     Domain:  DOMAIN-NAME     Logon Type: 3     Logon Process: NtLmSsp      Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0     Workstation Name: SERVER-NAME  Of course I want to retain logon failure events, however I know about these failed logon attempts from SERVER-NAME and as the server in questions make a connection every 30 minutes… well, lets just say that the events are going to mount up a bit from an estate of 800 OSSEC installations (48 x 800 = 38400 event notifications per day). At the moment the Windows 2008 Server is only configured to connect to a small number of client machines and I can’t really continue with the roll out of that part of our security system until this issue is resolved. I’m thinking that there must be a way to overwrite rule 18152 with a version in local_rules which will ignore any alerts mentioning “SERVER-NAME” in the event, but I have been unable to figure out a way to do this. Any help that anybody can offer to help me solve this would be greatly appreciated, Regards and thank you for reading, Chris   -- R. Loyd Darby, OSSIM-OCSE Project Manager DOC/NOAA/NMFS Infrastructure coordinator Southeast Fisheries Science Center 305-361-4297