Hi Chad,
<rule id="200000" level="1">
<if_sid>18105</if_sid>
<match>The Windows Filtering Platform has blocked a packet</match>
<description>Ignore WFP packet drops</description>
</rule>
On Fri, Jun 17, 2011 at 2:42 PM, Chad <[email protected]> wrote:
> Hey guys, I know this has been covered at least a dozen times on the
> board, but I can't for the life of me figure this out. I'm hoping
> someone can help. I am trying to suppress alerts from "Multiple
> Windows audit failure events." Below I have posted the entire alert:
>
>
> Rule: 18153 fired (level 10) -> "Multiple Windows audit failure
> events."
> Portion of the log(s):
>
> WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-
> Auditing: (no user): no domain: ********.com: The Windows Filtering
> Platform has blocked a packet. Application Information: Process
> ID: 0 Application Name: - Network Information: Direction:
> %
> %14592 Source Address: 172.22.128.3 Source Port: 2727
> Destination Address: 255.255.255.255 Destination Port: 48002
> Protocol: 17 Filter Information: Filter Run-Time ID: 65606
> Layer Name: %%14597 Layer Run-Time ID: 13
>
>
> I have written a rule, following instructions on the below URLs, to no
> avail.
>
>
> http://groups.google.com/group/ossec-list/browse_thread/thread/810b25f9e51ecde9/d6d870cc177b6ac0?lnk=gst&q=rule+18153#d6d870cc177b6ac0
>
> http://groups.google.com/group/ossec-list/browse_thread/thread/9c8f8f9d78c7fa48/6e1b23b8ed873cb6?lnk=gst&q=rule+18153#6e1b23b8ed873cb6
>
>
> Here is the rule I have written in local_rules currently:
>
> <rule id="100001" level="0">
> <if_sid>18105</if_sid>
> <match>^Microsoft Filtering Platform has dropped a
> packet</match>
> <description>Ignore WFP packet drops</description>
> </rule>
>
> I've tried changing the match tags to <regex>, using <srcip>, etc.,
> per the instructions from the links above, only to wind up with the
> same results.
>
> Next, I ran the event through ossec-logtest. Here are the results from
> it:
>
>
> WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-
> Auditing: (no user): no domain: ******.com: The Windows Filtering
> Platform has blocked a packet. Application Information: Process
> ID: 0 Application Name: - Network Information:
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: (no user): no domain:
> ********.com: The Windows Filtering Platform has blocked a packet.
> Application Information: Process ID: 0 Application
> Name: - Network Information: '
> hostname: 'ossec'
> program_name: '(null)'
> log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-
> Windows-Security-Auditing: (no user): no domain: ********.com: The
> Windows Filtering Platform has blocked a packet. Application
> Information: Process ID: 0 Application Name: -
> Network Information: '
>
> **Phase 2: Completed decoding.
> decoder: 'windows'
> status: 'AUDIT_FAILURE'
> id: '5152'
> extra_data: 'Microsoft-Windows-Security-Auditing'
> dstuser: '(no user)'
> system_name: '******'
>
> **Rule debugging:
> Trying rule: 6 - Generic template for all windows rules.
> *Rule 6 matched.
> *Trying child rules.
> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
> Trying rule: 18100 - Group of windows rules.
> *Rule 18100 matched.
> *Trying child rules.
> Trying rule: 18101 - Windows informational event.
> Trying rule: 18102 - Windows warning event.
> Trying rule: 18104 - Windows audit success event.
> Trying rule: 18103 - Windows error event.
> Trying rule: 18105 - Windows audit failure event.
> *Rule 18105 matched.
> *Trying child rules.
> Trying rule: 18120 - Windows login attempt (ignored). Duplicated.
> Trying rule: 100001 - Ignore WFP packet drops
> Trying rule: 18153 - Multiple Windows audit failure events.
> Trying rule: 18106 - Windows Logon Failure.
> Trying rule: 18139 - Windows DC Logon Failure.
> Trying rule: 18180 - MS SQL Server Logon Failure.
> Trying rule: 18108 - Failed attempt to perform a privileged
> operation.
>
> **Phase 3: Completed filtering (rules).
> Rule id: '18105'
> Level: '4'
> Description: 'Windows audit failure event.'
> **Alert to be generated.
>
> I'm hoping someone can point me in the right direction on this. Thanks
> in advance!
