This is my first experience adding an OSSEC rule, but it seems to have
worked. I was getting dozens of emails with similar audit failures to
the original post. This is a Windows Server 2008 system running SQL
Server 2008 Express only. I fixed it by adding an additional rule file
to ossec.conf and adding the following in a new file under /var/ossec/
rules/ that looks like this:
<group name="windows">
<rule id="7780" level="1">
<category>windows</category>
<if_sid>18105</if_sid>
<match>The windows Filtering Platform has blocked a packet</match>
<description></description>
</rule>
<rule id="7781" level="1">
<category>windows</category>
<if_sid>18105</if_sid>
<match>The Windows Filtering Platform has blocked a bind to a
local port</match>
<description></description>
</rule>
</group>
