Thank you so much Loyd, I will go and put that in place straight away. I'm not quite sure how I can have missed that one given the amount of searching and reading I've been doing to try and resolve this.
It seems I had been lulled into a belief that I had resolved the issue with my original rule. Nothing yesterday afternoon but I've come into work this morning to discover a whole bundle of those alerts from over night. Thank you very much for your help! Chris On 6 January 2011 16:49, loyd. darby <[email protected]> wrote: > please have a look at this: > http://www.ossec.net/wiki/Know_How:Multiple_Failures_WindowsAD > > > On 01/06/2011 09:19 AM, Chris Tweed wrote: > > I believe I have now managed to solve my rule 18152 issue with the > following rule. I was getting events generated every 30 mins and I've now > not had any for the last 3 hours. > > I just thought I should post what I'd done in case it helps anybody else in > future, or of course in case anybody spots a fatal flaw in what I've done > :^) > > > <rule id="100001" level="0"> > <if_level>10</if_level> > <hostname>SERVER-NAME</hostname> > <if_sid>18152</if_sid> > <description>Ignoring SERVER-NAME</description> > </rule> > > > > On 5 January 2011 09:37, Chris Tweed <[email protected]> wrote: > >> This is my first posting to this list having rolled OSSEC HIDS out to an >> estate of around 800 Windows based machines towards the end of last year as >> part of our PCI compliance strategy. >> >> Everything is running very smoothly and I just have one niggle, rule >> 18152. I have made a few other simple rule changes successfully, but so far >> I have been unable to work out a solution for this one myself and I feel >> like I could do with a bit of help. >> >> For various quite legitimate reasons none of the 800 aforementioned >> Windows machines are part of a domain, however another part of our security >> system does sit on our domain and is creating invalid login attempt events >> from the domain administrator account every time it accesses one of the >> machines in our OSSEC estate. >> >> Rule 18152 is fired and presents the following information, which I have >> edited for the sakes of privacy. “CLIENT001” was the original Windows >> machine name of the PC where the OSSEC agent is installed, “DOMAIN-NAME” is >> the name of the Windows domain where the Windows server in question resides >> and “SERVER-NAME” is the name of the Windows 2008 Server machine which is >> producing the logon failures :- >> >> WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: >> CLIENT001 : Logon Failure: Reason: Unknown user name or bad password >> User Name: Administrator Domain: DOMAIN-NAME Logon Type: 3 >> Logon Process: NtLmSsp Authentication Package: >> MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: SERVER-NAME >> >> Of course I want to retain logon failure events, however I know about >> these failed logon attempts from SERVER-NAME and as the server in questions >> make a connection every 30 minutes… well, lets just say that the events are >> going to mount up a bit from an estate of 800 OSSEC installations (48 x 800 >> = 38400 event notifications per day). At the moment the Windows 2008 Server >> is only configured to connect to a small number of client machines and I >> can’t really continue with the roll out of that part of our security system >> until this issue is resolved. >> >> I’m thinking that there must be a way to overwrite rule 18152 with a >> version in local_rules which will ignore any alerts mentioning “SERVER-NAME” >> in the event, but I have been unable to figure out a way to do this. >> >> Any help that anybody can offer to help me solve this would be greatly >> appreciated, >> >> Regards and thank you for reading, >> >> Chris >> >> >> > > > -- > R. Loyd Darby, OSSIM-OCSE > Project Manager DOC/NOAA/NMFS > Infrastructure coordinator > Southeast Fisheries Science Center > 305-361-4297 > >
