Hi Chad,
On Tue, Jun 28, 2011 at 4:02 PM, Chad Hammond
<[email protected]> wrote:
> Here is the full email. So you think the number is 18139 instead of 18152?
>
Not in your email example it isn't. But if 18139 doesn't fire 18152
won't be triggered. At least by these alerts. You can always try what
you had again, but without the "$" character.
> OSSEC HIDS Notification.
> 2011 Jun 28 14:56:06
>
> Received From: (MNDC2) 10.0.0.52->WinEvtLog
> Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures."
> Portion of the log(s):
>
> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY:
> MNDC2: Pre-authentication failed: User Name: _ryan User ID:
> %{S-1-5-21-1995130590-1722771374-355810188-12042} Service Name:
> krbtgt/NORTHLAND Pre-Authentication Type: 0x0 Failure
> Code: 0x19 Client Address: 10.0.0.10
> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY:
> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID:
> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name:
> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0
> Failure Code: 0x19 Client Address: 10.0.0.114
> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY:
> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID:
> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name:
> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0
> Failure Code: 0x19 Client Address: 10.0.0.114
> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY:
> MNDC2: Pre-authentication failed: User Name: MNESX3$ User ID:
> %{S-1-5-21-1995130590-1722771374-355810188-11843} Service Name:
> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0
> Failure Code: 0x19 Client Address: 10.0.0.113
> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY:
> MNDC2: Pre-authentication failed: User Name: MNESX3$ User ID:
> %{S-1-5-21-1995130590-1722771374-355810188-11843} Service Name:
> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0
> Failure Code: 0x19 Client Address: 10.0.0.113
> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY:
> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User
> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service
> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0
> Failure Code: 0x19 Client Address: 10.0.0.112
> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY:
> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User
> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service
> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0
> Failure Code: 0x19 Client Address: 10.0.0.112
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On
> Behalf Of dan (ddp)
> Sent: Tuesday, June 28, 2011 2:09 PM
> To: [email protected]
> Subject: Re: [ossec-list] Email filter
>
> Rule 1:
> <rule id="100101" level="0">
> <if_sid>18152</if_sid> <!-- ossec-logtest shows this as 18139 on
> my system, but 18152 might work if there are more than 1 log events
> -->
> <match>Pre-authentication failed: User Name: MNESX1$
> </match> <!-- The $ will be interpreted as the end of line character
> -->
> <description>Events ignored</description>
> </rule>
>
> Maybe try:
>
> <rule id="100101" level="0">
> <if_sid>18139</if_sid>
> <id>675</id>
> <match>User Name: MNESX2</match>
> <description>Events ignored</description>
> </rule>
>
>
> On Tue, Jun 28, 2011 at 2:46 PM, Chad Hammond
> <[email protected]> wrote:
>> Hello I would like to filter the following email out which I copied below. I
>> also attached a custom rules that I created and doesn't seem to be filtering
>> all the emails out. I actually created 4 rules because there are 4 user
>> accounts that I want to filter, mnesx1$, mnesx2$, mnesx3$ and mnesx4. Any
>> assistance on what I am doing wrong would be greatly appreciated.
>>
>> Thanks.
>>
>>
>>
>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY:
>> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User
>> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service
>> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0
>> Failure Code: 0x19 Client Address: 10.0.0.112
>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY:
>> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User
>> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service
>> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0
>> Failure Code: 0x19 Client Address: 10.0.0.112
>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY:
>> LOMBARDO: Pre-authentication failed: User Name: _Varonis User
>> ID: %{S-1-5-21-1995130590-1722771374-355810188-12480} Service
>> Name: krbtgt/northlandgroup.com Pre-Authentication Type: 0x0
>> Failure Code: 0x19 Client Address: 10.0.0.106
>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY:
>> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID:
>> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name:
>> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0
>> Failure Code: 0x19 Client Address: 10.0.0.114
>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY:
>> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID:
>> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name:
>> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0
>> Failure Code: 0x19 Client Address: 10.0.0.114
>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY:
>> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User
>> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service
>> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0
>> Failure Code: 0x19 Client Address: 10.0.0.112
>> Chad Hammond
>> Systems Administrator
>> Northland Group
>> 7831 Glenroy Rd
>> Edina MN 55439
>> Direct: 952-837-0625
>> ________________________________
>> THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY,
>> AND MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS
>> TRANSMISSION IN ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE
>> THIS MESSAGE FROM YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN
>> WHOLE OR IN PART, IS STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE
>> SUSCEPTIBLE TO TAMPERING. NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE
>> IMPROPER OR INCOMPLETE TRANSMISSION OF THE INFORMATION CONTAINED IN THIS
>> COMMUNICATION, NOR FOR ANY DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM.
>> NORTHLAND GROUP, INC. DOES NOT GUARANTEE THAT THE INTEGRITY OF THIS
>> COMMUNICATION HAS BEEN MAINTAINED, NOR THAT THIS COMMUNICATION IS FREE FROM
>> VIRUSES, INTERCEPTIONS OR INTERFERENCE
>>
> Chad Hammond
> Systems Administrator
> Northland Group
> 7831 Glenroy Rd
> Edina MN 55439
> Direct: 952-837-0625
> ________________________________
> THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, AND
> MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS TRANSMISSION IN
> ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE THIS MESSAGE FROM
> YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN WHOLE OR IN PART, IS
> STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE SUSCEPTIBLE TO TAMPERING.
> NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE IMPROPER OR INCOMPLETE
> TRANSMISSION OF THE INFORMATION CONTAINED IN THIS COMMUNICATION, NOR FOR ANY
> DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. NORTHLAND GROUP, INC. DOES NOT
> GUARANTEE THAT THE INTEGRITY OF THIS COMMUNICATION HAS BEEN MAINTAINED, NOR
> THAT THIS COMMUNICATION IS FREE FROM VIRUSES, INTERCEPTIONS OR INTERFERENCE
>
