I am getting this error now below. There are only 7 lines so I am not sure I guess.
Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)... 2011/06/28 15:48:51 ossec-analysisd(1226): ERROR: Error reading XML file 'rules//ESX_Ignore_Rule1.xml': XML ERR: End of file and some elements were not closed (line 8). 2011/06/28 15:48:51 ossec-testrule(1220): ERROR: Error loading the rules: 'ESX_Ignore_Rule1.xml'. ossec-analysisd: Configuration error. Exiting. <group name="local"> <rule id="100101" level="0"> <if_sid>18139</if_sid> <id>675</id> <match>User Name: MNESX1</match> <description>Events ignored</description> </rule> -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Tuesday, June 28, 2011 3:43 PM To: [email protected] Subject: Re: [ossec-list] Email filter On Tue, Jun 28, 2011 at 4:29 PM, Chad Hammond <[email protected]> wrote: > Ok here is an error message that I get when I try and start the service. I > also attached the rules that I modified to fit your suggestion as I > understood. > Please let me know if I am missing something. > > Thanks again. > > Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)... > 2011/06/28 15:26:13 rules_op: Invalid root element "rule".Only "group" is > allowed > 2011/06/28 15:26:13 ossec-testrule(1220): ERROR: Error loading the rules: > 'ESX_Ignore_Rule1.xml'. > ossec-analysisd: Configuration error. Exiting. > > > You need something like "<group name="local">" around the rules, just like all the rest of the rule files. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Chad Hammond > Sent: Tuesday, June 28, 2011 3:12 PM > To: [email protected] > Subject: RE: [ossec-list] Email filter > > I will give it a try then. I was just curious. I will post something when I > get this updated. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Tuesday, June 28, 2011 3:07 PM > To: [email protected] > Subject: Re: [ossec-list] Email filter > > Hi Chad, > > On Tue, Jun 28, 2011 at 4:02 PM, Chad Hammond > <[email protected]> wrote: >> Here is the full email. So you think the number is 18139 instead of 18152? >> > > Not in your email example it isn't. But if 18139 doesn't fire 18152 > won't be triggered. At least by these alerts. You can always try what > you had again, but without the "$" character. > >> OSSEC HIDS Notification. >> 2011 Jun 28 14:56:06 >> >> Received From: (MNDC2) 10.0.0.52->WinEvtLog >> Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures." >> Portion of the log(s): >> >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >> MNDC2: Pre-authentication failed: User Name: _ryan User ID: >> %{S-1-5-21-1995130590-1722771374-355810188-12042} Service Name: >> krbtgt/NORTHLAND Pre-Authentication Type: 0x0 Failure >> Code: 0x19 Client Address: 10.0.0.10 >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID: >> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name: >> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >> Failure Code: 0x19 Client Address: 10.0.0.114 >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID: >> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name: >> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >> Failure Code: 0x19 Client Address: 10.0.0.114 >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >> MNDC2: Pre-authentication failed: User Name: MNESX3$ User ID: >> %{S-1-5-21-1995130590-1722771374-355810188-11843} Service Name: >> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >> Failure Code: 0x19 Client Address: 10.0.0.113 >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >> MNDC2: Pre-authentication failed: User Name: MNESX3$ User ID: >> %{S-1-5-21-1995130590-1722771374-355810188-11843} Service Name: >> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >> Failure Code: 0x19 Client Address: 10.0.0.113 >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User >> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service >> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >> Failure Code: 0x19 Client Address: 10.0.0.112 >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User >> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service >> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >> Failure Code: 0x19 Client Address: 10.0.0.112 >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of dan (ddp) >> Sent: Tuesday, June 28, 2011 2:09 PM >> To: [email protected] >> Subject: Re: [ossec-list] Email filter >> >> Rule 1: >> <rule id="100101" level="0"> >> <if_sid>18152</if_sid> <!-- ossec-logtest shows this as 18139 on >> my system, but 18152 might work if there are more than 1 log events >> --> >> <match>Pre-authentication failed: User Name: MNESX1$ >> </match> <!-- The $ will be interpreted as the end of line character >> --> >> <description>Events ignored</description> >> </rule> >> >> Maybe try: >> >> <rule id="100101" level="0"> >> <if_sid>18139</if_sid> >> <id>675</id> >> <match>User Name: MNESX2</match> >> <description>Events ignored</description> >> </rule> >> >> >> On Tue, Jun 28, 2011 at 2:46 PM, Chad Hammond >> <[email protected]> wrote: >>> Hello I would like to filter the following email out which I copied below. >>> I also attached a custom rules that I created and doesn't seem to be >>> filtering all the emails out. I actually created 4 rules because there are >>> 4 user accounts that I want to filter, mnesx1$, mnesx2$, mnesx3$ and >>> mnesx4. Any assistance on what I am doing wrong would be greatly >>> appreciated. >>> >>> Thanks. >>> >>> >>> >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User >>> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service >>> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.112 >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User >>> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service >>> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.112 >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> LOMBARDO: Pre-authentication failed: User Name: _Varonis User >>> ID: %{S-1-5-21-1995130590-1722771374-355810188-12480} Service >>> Name: krbtgt/northlandgroup.com Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.106 >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID: >>> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name: >>> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.114 >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID: >>> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name: >>> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.114 >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User >>> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service >>> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.112 >>> Chad Hammond >>> Systems Administrator >>> Northland Group >>> 7831 Glenroy Rd >>> Edina MN 55439 >>> Direct: 952-837-0625 >>> ________________________________ >>> THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, >>> AND MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS >>> TRANSMISSION IN ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE >>> THIS MESSAGE FROM YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN >>> WHOLE OR IN PART, IS STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE >>> SUSCEPTIBLE TO TAMPERING. NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE >>> IMPROPER OR INCOMPLETE TRANSMISSION OF THE INFORMATION CONTAINED IN THIS >>> COMMUNICATION, NOR FOR ANY DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. >>> NORTHLAND GROUP, INC. DOES NOT GUARANTEE THAT THE INTEGRITY OF THIS >>> COMMUNICATION HAS BEEN MAINTAINED, NOR THAT THIS COMMUNICATION IS FREE FROM >>> VIRUSES, INTERCEPTIONS OR INTERFERENCE >>> >> Chad Hammond >> Systems Administrator >> Northland Group >> 7831 Glenroy Rd >> Edina MN 55439 >> Direct: 952-837-0625 >> ________________________________ >> THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, >> AND MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS >> TRANSMISSION IN ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE >> THIS MESSAGE FROM YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN >> WHOLE OR IN PART, IS STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE >> SUSCEPTIBLE TO TAMPERING. NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE >> IMPROPER OR INCOMPLETE TRANSMISSION OF THE INFORMATION CONTAINED IN THIS >> COMMUNICATION, NOR FOR ANY DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. >> NORTHLAND GROUP, INC. DOES NOT GUARANTEE THAT THE INTEGRITY OF THIS >> COMMUNICATION HAS BEEN MAINTAINED, NOR THAT THIS COMMUNICATION IS FREE FROM >> VIRUSES, INTERCEPTIONS OR INTERFERENCE >> > Chad Hammond > Systems Administrator > Northland Group > 7831 Glenroy Rd > Edina MN 55439 > Direct: 952-837-0625 > ________________________________ > THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, AND > MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS TRANSMISSION IN > ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE THIS MESSAGE FROM > YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN WHOLE OR IN PART, IS > STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE SUSCEPTIBLE TO TAMPERING. > NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE IMPROPER OR INCOMPLETE > TRANSMISSION OF THE INFORMATION CONTAINED IN THIS COMMUNICATION, NOR FOR ANY > DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. NORTHLAND GROUP, INC. DOES NOT > GUARANTEE THAT THE INTEGRITY OF THIS COMMUNICATION HAS BEEN MAINTAINED, NOR > THAT THIS COMMUNICATION IS FREE FROM VIRUSES, INTERCEPTIONS OR INTERFERENCE > > > Ext. > ________________________________ > Chad Hammond > Systems Administrator > Northland Group > 7831 Glenroy Rd > Edina MN 55439 > Direct: 952-837-0625 > ________________________________ > THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, AND > MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS TRANSMISSION IN > ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE THIS MESSAGE FROM > YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN WHOLE OR IN PART, IS > STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE SUSCEPTIBLE TO TAMPERING. > NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE IMPROPER OR INCOMPLETE > TRANSMISSION OF THE INFORMATION CONTAINED IN THIS COMMUNICATION, NOR FOR ANY > DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. NORTHLAND GROUP, INC. DOES NOT > GUARANTEE THAT THE INTEGRITY OF THIS COMMUNICATION HAS BEEN MAINTAINED, NOR > THAT THIS COMMUNICATION IS FREE FROM VIRUSES, INTERCEPTIONS OR INTERFERENCE > Chad Hammond Systems Administrator Northland Group 7831 Glenroy Rd Edina MN 55439 Direct: 952-837-0625 ________________________________ THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, AND MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS TRANSMISSION IN ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE THIS MESSAGE FROM YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN WHOLE OR IN PART, IS STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE SUSCEPTIBLE TO TAMPERING. NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE IMPROPER OR INCOMPLETE TRANSMISSION OF THE INFORMATION CONTAINED IN THIS COMMUNICATION, NOR FOR ANY DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. NORTHLAND GROUP, INC. DOES NOT GUARANTEE THAT THE INTEGRITY OF THIS COMMUNICATION HAS BEEN MAINTAINED, NOR THAT THIS COMMUNICATION IS FREE FROM VIRUSES, INTERCEPTIONS OR INTERFERENCE
