On Tue, Jun 28, 2011 at 4:53 PM, Chad Hammond <[email protected]> wrote: > I am getting this error now below. There are only 7 lines so I am not sure I > guess. > > > Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)... > 2011/06/28 15:48:51 ossec-analysisd(1226): ERROR: Error reading XML file > 'rules//ESX_Ignore_Rule1.xml': XML ERR: End of file and some elements were > not closed (line 8). > 2011/06/28 15:48:51 ossec-testrule(1220): ERROR: Error loading the rules: > 'ESX_Ignore_Rule1.xml'. > ossec-analysisd: Configuration error. Exiting. > > > <group name="local"> > <rule id="100101" level="0"> > <if_sid>18139</if_sid> > <id>675</id> > <match>User Name: MNESX1</match> > <description>Events ignored</description> > </rule> >
You didn't close the "<group" tag. You need a </group> at the end. This would have been easier if you modified /var/ossec/rules/local_rules.xml instead. ;) > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Tuesday, June 28, 2011 3:43 PM > To: [email protected] > Subject: Re: [ossec-list] Email filter > > On Tue, Jun 28, 2011 at 4:29 PM, Chad Hammond > <[email protected]> wrote: >> Ok here is an error message that I get when I try and start the service. I >> also attached the rules that I modified to fit your suggestion as I >> understood. >> Please let me know if I am missing something. >> >> Thanks again. >> >> Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)... >> 2011/06/28 15:26:13 rules_op: Invalid root element "rule".Only "group" is >> allowed >> 2011/06/28 15:26:13 ossec-testrule(1220): ERROR: Error loading the rules: >> 'ESX_Ignore_Rule1.xml'. >> ossec-analysisd: Configuration error. Exiting. >> >> >> > > You need something like "<group name="local">" around the rules, just > like all the rest of the rule files. > >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of Chad Hammond >> Sent: Tuesday, June 28, 2011 3:12 PM >> To: [email protected] >> Subject: RE: [ossec-list] Email filter >> >> I will give it a try then. I was just curious. I will post something when I >> get this updated. >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of dan (ddp) >> Sent: Tuesday, June 28, 2011 3:07 PM >> To: [email protected] >> Subject: Re: [ossec-list] Email filter >> >> Hi Chad, >> >> On Tue, Jun 28, 2011 at 4:02 PM, Chad Hammond >> <[email protected]> wrote: >>> Here is the full email. So you think the number is 18139 instead of 18152? >>> >> >> Not in your email example it isn't. But if 18139 doesn't fire 18152 >> won't be triggered. At least by these alerts. You can always try what >> you had again, but without the "$" character. >> >>> OSSEC HIDS Notification. >>> 2011 Jun 28 14:56:06 >>> >>> Received From: (MNDC2) 10.0.0.52->WinEvtLog >>> Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures." >>> Portion of the log(s): >>> >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> MNDC2: Pre-authentication failed: User Name: _ryan User ID: >>> %{S-1-5-21-1995130590-1722771374-355810188-12042} Service Name: >>> krbtgt/NORTHLAND Pre-Authentication Type: 0x0 Failure >>> Code: 0x19 Client Address: 10.0.0.10 >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID: >>> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name: >>> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.114 >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID: >>> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name: >>> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.114 >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> MNDC2: Pre-authentication failed: User Name: MNESX3$ User ID: >>> %{S-1-5-21-1995130590-1722771374-355810188-11843} Service Name: >>> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.113 >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> MNDC2: Pre-authentication failed: User Name: MNESX3$ User ID: >>> %{S-1-5-21-1995130590-1722771374-355810188-11843} Service Name: >>> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.113 >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User >>> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service >>> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.112 >>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ User >>> ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} Service >>> Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>> Failure Code: 0x19 Client Address: 10.0.0.112 >>> >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] On >>> Behalf Of dan (ddp) >>> Sent: Tuesday, June 28, 2011 2:09 PM >>> To: [email protected] >>> Subject: Re: [ossec-list] Email filter >>> >>> Rule 1: >>> <rule id="100101" level="0"> >>> <if_sid>18152</if_sid> <!-- ossec-logtest shows this as 18139 on >>> my system, but 18152 might work if there are more than 1 log events >>> --> >>> <match>Pre-authentication failed: User Name: MNESX1$ >>> </match> <!-- The $ will be interpreted as the end of line character >>> --> >>> <description>Events ignored</description> >>> </rule> >>> >>> Maybe try: >>> >>> <rule id="100101" level="0"> >>> <if_sid>18139</if_sid> >>> <id>675</id> >>> <match>User Name: MNESX2</match> >>> <description>Events ignored</description> >>> </rule> >>> >>> >>> On Tue, Jun 28, 2011 at 2:46 PM, Chad Hammond >>> <[email protected]> wrote: >>>> Hello I would like to filter the following email out which I copied below. >>>> I also attached a custom rules that I created and doesn't seem to be >>>> filtering all the emails out. I actually created 4 rules because there are >>>> 4 user accounts that I want to filter, mnesx1$, mnesx2$, mnesx3$ and >>>> mnesx4. Any assistance on what I am doing wrong would be greatly >>>> appreciated. >>>> >>>> Thanks. >>>> >>>> >>>> >>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>>> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ >>>> User ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} >>>> Service Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: >>>> 0x0 Failure Code: 0x19 Client Address: 10.0.0.112 >>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>>> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ >>>> User ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} >>>> Service Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: >>>> 0x0 Failure Code: 0x19 Client Address: 10.0.0.112 >>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>>> LOMBARDO: Pre-authentication failed: User Name: _Varonis >>>> User ID: %{S-1-5-21-1995130590-1722771374-355810188-12480} >>>> Service Name: krbtgt/northlandgroup.com Pre-Authentication Type: >>>> 0x0 Failure Code: 0x19 Client Address: 10.0.0.106 >>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>>> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID: >>>> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name: >>>> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>>> Failure Code: 0x19 Client Address: 10.0.0.114 >>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>>> MNDC2: Pre-authentication failed: User Name: MNESX4$ User ID: >>>> %{S-1-5-21-1995130590-1722771374-355810188-11842} Service Name: >>>> krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: 0x0 >>>> Failure Code: 0x19 Client Address: 10.0.0.114 >>>> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >>>> LOMBARDO: Pre-authentication failed: User Name: MNESX2$ >>>> User ID: %{S-1-5-21-1995130590-1722771374-355810188-11844} >>>> Service Name: krbtgt/NORTHLANDGROUP.COM Pre-Authentication Type: >>>> 0x0 Failure Code: 0x19 Client Address: 10.0.0.112 >>>> Chad Hammond >>>> Systems Administrator >>>> Northland Group >>>> 7831 Glenroy Rd >>>> Edina MN 55439 >>>> Direct: 952-837-0625 >>>> ________________________________ >>>> THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, >>>> AND MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS >>>> TRANSMISSION IN ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND >>>> DELETE THIS MESSAGE FROM YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS >>>> MESSAGE, IN WHOLE OR IN PART, IS STRICTLY PROHIBITED. PLEASE NOTE THAT >>>> EMAILS ARE SUSCEPTIBLE TO TAMPERING. NORTHLAND GROUP, INC. SHALL NOT BE >>>> LIABLE FOR THE IMPROPER OR INCOMPLETE TRANSMISSION OF THE INFORMATION >>>> CONTAINED IN THIS COMMUNICATION, NOR FOR ANY DELAY IN ITS RECEIPT OR >>>> DAMAGE TO YOUR SYSTEM. NORTHLAND GROUP, INC. DOES NOT GUARANTEE THAT THE >>>> INTEGRITY OF THIS COMMUNICATION HAS BEEN MAINTAINED, NOR THAT THIS >>>> COMMUNICATION IS FREE FROM VIRUSES, INTERCEPTIONS OR INTERFERENCE > >>>> >>> Chad Hammond >>> Systems Administrator >>> Northland Group >>> 7831 Glenroy Rd >>> Edina MN 55439 >>> Direct: 952-837-0625 >>> ________________________________ >>> THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, >>> AND MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS >>> TRANSMISSION IN ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE >>> THIS MESSAGE FROM YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN >>> WHOLE OR IN PART, IS STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE >>> SUSCEPTIBLE TO TAMPERING. NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE >>> IMPROPER OR INCOMPLETE TRANSMISSION OF THE INFORMATION CONTAINED IN THIS >>> COMMUNICATION, NOR FOR ANY DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. >>> NORTHLAND GROUP, INC. DOES NOT GUARANTEE THAT THE INTEGRITY OF THIS >>> COMMUNICATION HAS BEEN MAINTAINED, NOR THAT THIS COMMUNICATION IS FREE FROM >>> VIRUSES, INTERCEPTIONS OR INTERFERENCE >>> >> Chad Hammond >> Systems Administrator >> Northland Group >> 7831 Glenroy Rd >> Edina MN 55439 >> Direct: 952-837-0625 >> ________________________________ >> THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, >> AND MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS >> TRANSMISSION IN ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE >> THIS MESSAGE FROM YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN >> WHOLE OR IN PART, IS STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE >> SUSCEPTIBLE TO TAMPERING. NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE >> IMPROPER OR INCOMPLETE TRANSMISSION OF THE INFORMATION CONTAINED IN THIS >> COMMUNICATION, NOR FOR ANY DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. >> NORTHLAND GROUP, INC. DOES NOT GUARANTEE THAT THE INTEGRITY OF THIS >> COMMUNICATION HAS BEEN MAINTAINED, NOR THAT THIS COMMUNICATION IS FREE FROM >> VIRUSES, INTERCEPTIONS OR INTERFERENCE >> >> >> Ext. >> ________________________________ >> Chad Hammond >> Systems Administrator >> Northland Group >> 7831 Glenroy Rd >> Edina MN 55439 >> Direct: 952-837-0625 >> ________________________________ >> THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, >> AND MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS >> TRANSMISSION IN ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE >> THIS MESSAGE FROM YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN >> WHOLE OR IN PART, IS STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE >> SUSCEPTIBLE TO TAMPERING. NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE >> IMPROPER OR INCOMPLETE TRANSMISSION OF THE INFORMATION CONTAINED IN THIS >> COMMUNICATION, NOR FOR ANY DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. >> NORTHLAND GROUP, INC. DOES NOT GUARANTEE THAT THE INTEGRITY OF THIS >> COMMUNICATION HAS BEEN MAINTAINED, NOR THAT THIS COMMUNICATION IS FREE FROM >> VIRUSES, INTERCEPTIONS OR INTERFERENCE >> > Chad Hammond > Systems Administrator > Northland Group > 7831 Glenroy Rd > Edina MN 55439 > Direct: 952-837-0625 > ________________________________ > THIS MESSAGE, INCLUDING ANY ATTACHMENTS, IS CONFIDENTIAL AND PROPRIETARY, AND > MAY CONTAIN PRIVILEGED INFORMATION. IF YOU HAVE RECEIVED THIS TRANSMISSION IN > ERROR, PLEASE NOTIFY THE SENDER BY RETURN E-MAIL AND DELETE THIS MESSAGE FROM > YOUR SYSTEM. ANY UNAUTHORIZED USE OF THIS MESSAGE, IN WHOLE OR IN PART, IS > STRICTLY PROHIBITED. PLEASE NOTE THAT EMAILS ARE SUSCEPTIBLE TO TAMPERING. > NORTHLAND GROUP, INC. SHALL NOT BE LIABLE FOR THE IMPROPER OR INCOMPLETE > TRANSMISSION OF THE INFORMATION CONTAINED IN THIS COMMUNICATION, NOR FOR ANY > DELAY IN ITS RECEIPT OR DAMAGE TO YOUR SYSTEM. NORTHLAND GROUP, INC. DOES NOT > GUARANTEE THAT THE INTEGRITY OF THIS COMMUNICATION HAS BEEN MAINTAINED, NOR > THAT THIS COMMUNICATION IS FREE FROM VIRUSES, INTERCEPTIONS OR INTERFERENCE >
