Rule 1: <rule id="100101" level="0"> <if_sid>18152</if_sid> <!-- ossec-logtest shows this as 18139 on my system, but 18152 might work if there are more than 1 log events --> <match>Pre-authentication failed: User Name: MNESX1$ </match> <!-- The $ will be interpreted as the end of line character --> <description>Events ignored</description> </rule>
Maybe try: <rule id="100101" level="0"> <if_sid>18139</if_sid> <id>675</id> <match>User Name: MNESX2</match> <description>Events ignored</description> </rule> On Tue, Jun 28, 2011 at 2:46 PM, Chad Hammond <[email protected]> wrote: > Hello I would like to filter the following email out which I copied below. I > also attached a custom rules that I created and doesn't seem to be filtering > all the emails out. I actually created 4 rules because there are 4 user > accounts that I want to filter, mnesx1$, mnesx2$, mnesx3$ and mnesx4. Any > assistance on what I am doing wrong would be greatly appreciated. > > Thanks. > > > > WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: > LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User > ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service > Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 > Failure Code: 0x19 Client Address: 10.0.0.112 > WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: > LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User > ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service > Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 > Failure Code: 0x19 Client Address: 10.0.0.112 > WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: > LOMBARDO: Pre-authentication failed: User Name: _Varonis User > ID: %{S-1-5-21-1995130590-1722771374-355810188-12480} Service > Name: krbtgt/northlandgroup.com Pre-Authentication Type: 0x0 > Failure Code: 0x19 Client Address: 10.0.0.106 > WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: > MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID: > %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name: > krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 > Failure Code: 0x19 Client Address: 10.0.0.114 > WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: > MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID: > %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name: > krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 > Failure Code: 0x19 Client Address: 10.0.0.114 > WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: > LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User > ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service > Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 > Failure Code: 0x19 Client Address: 10.0.0.112 > Chad Hammond > Systems Administrator > Northland Group > 7831 Glenroy Rd > Edina MN 55439 > Direct: 952-837-0625 > ________________________________ > THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, AND > MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS TRANSMISSION IN > ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE THIS MESSAGE FROM > YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN WHOLE OR IN PART, IS > STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE SUSCEPTIBLE TO TAMPERING. > NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE IMPROPER OR INCOMPLETE > TRANSMISSION OF THE INFORMATION CONTAINED IN THIS COMMUNICATION, NOR FOR ANY > DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. NORTHLAND GROUP, INC. DOES NOT > GUARANTEE THAT THE INTEGRITY OF THIS COMMUNICATION HAS BEEN MAINTAINED, NOR > THAT THIS COMMUNICATION IS FREE FROM VIRUSES, INTERCEPTIONS OR INTERFERENCE >
