[ossec-list] ossec-logtest is performing differently from running ossec

Fri, 01 Apr 2011 01:10:35 -0700 

Okay, per microsoft, when XP and 2008 co-mingle the handshake always
starts with an AUDIT_FAILURE(4769) event, Failure Code 0xe.  The old
systems just don't speak the new Kerberos language.  This is filling
up my IDS logs as OSSEC doesn't like the big bold FAILURE there.  So I
put in some version of this rule into my local_rules.xml:

  <rule id="118139" level="1">
    <if_sid>18139</if_sid>
    <match>Failure Code: 0xE|Failure Code: 0xe|</match>
    <match>Failure Code:   0xe</match>
    <description>Windows DC enforcing new encryption types</
description>
  </rule>


When I pipe the offending archive.log line into ossec-logtest, it
spits out 118139.  Happy as a clam.  But when it's running live, it
gives me a 18139 result.  I have rebooted the ossec server (pretending
it was a Windows machine, you understand.)  118139 NEVER fires in the
live alerts, always 18139.  I clipped the lines from archive.log as a
second test, the first time I clipped it from the darned 18139 alert
directly.  Here's the line that works in logtest but not live:

WinEvtLog: Security: AUDIT_FAILURE(4769): Microsoft-Windows-Security-
Auditing: (no user): no domain: DC2.CENSORED.com: A Kerberos service
ticket was requested.    Account Information:      Account Name:
[email protected]       Account Domain:         CENSORED.COM
Logon GUID:     {00000000-0000-0000-0000-000000000000}    Service
Information:          Service Name:   krbtgt/CENSORED.COM     Service
ID:     S-1-0-0    Network Information:      Client Address:         ::
1     Client Port:    0    Additional Information:    Ticket
Options:         0x60810010      Ticket Encryption Type: 0xffffffff
Failure Code:   0xe     Transited Services: -    This event is
generated every time access is requested to a resource such as a
computer or a Windows service.  The service name indicates the
resource to which access was requested.    This event can be
correlated with Windows logon events by comparing the Logon GUID
fields in each event.  The logon event occurs on the machine that was
accessed, which is often a different machine than the domain
controller which issued the service ticket.    Ticket options,
encryption types, and failure codes are defined in RFC 4120.


Thank you in advance for your assistance.  I'd also love to submit
this rule for the next version--don't know how that would work.

For reference to Kerberos:
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/a487286d-bd35-4e5b-8c60-761565fe29b5/

Reply via email to