On Tue, Jun 28, 2011 at 4:29 PM, Chad Hammond <[email protected]> wrote: > Ok here is an error message that I get when I try and start the service. I > also attached the rules that I modified to fit your suggestion as I > understood. > Please let me know if I am missing something. > > Thanks again. > > Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)... > 2011/06/28 15:26:13 rules_op: Invalid root element "rule".Only "group" is > allowed > 2011/06/28 15:26:13 ossec-testrule(1220): ERROR: Error loading the rules: > 'ESX_Ignore_Rule1.xml'. > ossec-analysisd: Configuration error. Exiting. > > >
You need something like "<group name="local">" around the rules, just like all the rest of the rule files. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Chad Hammond > Sent: Tuesday, June 28, 2011 3:12 PM > To: [email protected] > Subject: RE: [ossec-list] Email filter > > I will give it a try then. I was just curious. I will post something when I > get this updated. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Tuesday, June 28, 2011 3:07 PM > To: [email protected] > Subject: Re: [ossec-list] Email filter > > Hi Chad, > > On Tue, Jun 28, 2011 at 4:02 PM, Chad Hammond > <[email protected]> wrote: >> Here is the full email. So you think the number is 18139 instead of 18152? >> > > Not in your email example it isn't. But if 18139 doesn't fire 18152 > won't be triggered. At least by these alerts. You can always try what > you had again, but without the "$" character. > >> OSSEC HIDS Notification. >> 2011 Jun 28 14:56:06 >> >> Received From: (MNDC2) 10.0.0.52->WinEvtLog >> Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures." >> Portion of the log(s): >> >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >> MNDC2: Pre-authentication failed: User Name: _ryan User ID: >> %{S-1-5-21-1995130590-1722771374-355810188-12042} Service Name: >> krbtgt/NORTHLAND Pre-Authentication Type: 0x0 Failure >> Code: 0x19 Client Address: 10.0.0.10 >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID: >> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name: >> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >> Failure Code: 0x19 Client Address: 10.0.0.114 >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID: >> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name: >> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >> Failure Code: 0x19 Client Address: 10.0.0.114 >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >> MNDC2: Pre-authentication failed: User Name: MNESX3$ User ID: >> %{S-1-5-21-1995130590-1722771374-355810188-11843} Service Name: >> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >> Failure Code: 0x19 Client Address: 10.0.0.113 >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >> MNDC2: Pre-authentication failed: User Name: MNESX3$ User ID: >> %{S-1-5-21-1995130590-1722771374-355810188-11843} Service Name: >> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >> Failure Code: 0x19 Client Address: 10.0.0.113 >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User >> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service >> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >> Failure Code: 0x19 Client Address: 10.0.0.112 >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User >> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service >> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >> Failure Code: 0x19 Client Address: 10.0.0.112 >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of dan (ddp) >> Sent: Tuesday, June 28, 2011 2:09 PM >> To: [email protected] >> Subject: Re: [ossec-list] Email filter >> >> Rule 1: >> <rule id="100101" level="0"> >> <if_sid>18152</if_sid> <!-- ossec-logtest shows this as 18139 on >> my system, but 18152 might work if there are more than 1 log events >> --> >> <match>Pre-authentication failed: User Name: MNESX1$ >> </match> <!-- The $ will be interpreted as the end of line character >> --> >> <description>Events ignored</description> >> </rule> >> >> Maybe try: >> >> <rule id="100101" level="0"> >> <if_sid>18139</if_sid> >> <id>675</id> >> <match>User Name: MNESX2</match> >> <description>Events ignored</description> >> </rule> >> >> >> On Tue, Jun 28, 2011 at 2:46 PM, Chad Hammond >> <[email protected]> wrote: >>> Hello I would like to filter the following email out which I copied below. >>> I also attached a custom rules that I created and doesn't seem to be >>> filtering all the emails out. I actually created 4 rules because there are >>> 4 user accounts that I want to filter, mnesx1$, mnesx2$, mnesx3$ and >>> mnesx4. Any assistance on what I am doing wrong would be greatly >>> appreciated. >>> >>> Thanks. >>> >>> >>> >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User >>> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service >>> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.112 >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User >>> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service >>> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.112 >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> LOMBARDO: Pre-authentication failed: User Name: _Varonis User >>> ID: %{S-1-5-21-1995130590-1722771374-355810188-12480} Service >>> Name: krbtgt/northlandgroup.com Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.106 >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID: >>> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name: >>> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.114 >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID: >>> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name: >>> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.114 >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User >>> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service >>> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.112 >>> Chad Hammond >>> Systems Administrator >>> Northland Group >>> 7831 Glenroy Rd >>> Edina MN 55439 >>> Direct: 952-837-0625 >>> ________________________________ >>> THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, >>> AND MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS >>> TRANSMISSION IN ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE >>> THIS MESSAGE FROM YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN >>> WHOLE OR IN PART, IS STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE >>> SUSCEPTIBLE TO TAMPERING. NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE >>> IMPROPER OR INCOMPLETE TRANSMISSION OF THE INFORMATION CONTAINED IN THIS >>> COMMUNICATION, NOR FOR ANY DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. >>> NORTHLAND GROUP, INC. DOES NOT GUARANTEE THAT THE INTEGRITY OF THIS >>> COMMUNICATION HAS BEEN MAINTAINED, NOR THAT THIS COMMUNICATION IS FREE FROM >>> VIRUSES, INTERCEPTIONS OR INTERFERENCE >>> >> Chad Hammond >> Systems Administrator >> Northland Group >> 7831 Glenroy Rd >> Edina MN 55439 >> Direct: 952-837-0625 >> ________________________________ >> THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, >> AND MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS >> TRANSMISSION IN ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE >> THIS MESSAGE FROM YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN >> WHOLE OR IN PART, IS STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE >> SUSCEPTIBLE TO TAMPERING. NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE >> IMPROPER OR INCOMPLETE TRANSMISSION OF THE INFORMATION CONTAINED IN THIS >> COMMUNICATION, NOR FOR ANY DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. >> NORTHLAND GROUP, INC. DOES NOT GUARANTEE THAT THE INTEGRITY OF THIS >> COMMUNICATION HAS BEEN MAINTAINED, NOR THAT THIS COMMUNICATION IS FREE FROM >> VIRUSES, INTERCEPTIONS OR INTERFERENCE >> > Chad Hammond > Systems Administrator > Northland Group > 7831 Glenroy Rd > Edina MN 55439 > Direct: 952-837-0625 > ________________________________ > THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, AND > MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS TRANSMISSION IN > ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE THIS MESSAGE FROM > YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN WHOLE OR IN PART, IS > STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE SUSCEPTIBLE TO TAMPERING. > NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE IMPROPER OR INCOMPLETE > TRANSMISSION OF THE INFORMATION CONTAINED IN THIS COMMUNICATION, NOR FOR ANY > DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. NORTHLAND GROUP, INC. DOES NOT > GUARANTEE THAT THE INTEGRITY OF THIS COMMUNICATION HAS BEEN MAINTAINED, NOR > THAT THIS COMMUNICATION IS FREE FROM VIRUSES, INTERCEPTIONS OR INTERFERENCE > > > Ext. > ________________________________ > Chad Hammond > Systems Administrator > Northland Group > 7831 Glenroy Rd > Edina MN 55439 > Direct: 952-837-0625 > ________________________________ > THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, AND > MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS TRANSMISSION IN > ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE THIS MESSAGE FROM > YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN WHOLE OR IN PART, IS > STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE SUSCEPTIBLE TO TAMPERING. > NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE IMPROPER OR INCOMPLETE > TRANSMISSION OF THE INFORMATION CONTAINED IN THIS COMMUNICATION, NOR FOR ANY > DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. NORTHLAND GROUP, INC. DOES NOT > GUARANTEE THAT THE INTEGRITY OF THIS COMMUNICATION HAS BEEN MAINTAINED, NOR > THAT THIS COMMUNICATION IS FREE FROM VIRUSES, INTERCEPTIONS OR INTERFERENCE >
