Hello,
I have modified the windows event decoder as described in Daniel Cid's
blog (http://dcid.me/2011/04/running-multiple-ossec-decoders-on-the-
same-event/) and successfully now extract the source IP .
I have created a cdb list which looks like this:
10.10.10.1:trusted_ips
10.10.10.2:trusted_ips
#....etc (from 1 to 20 that is,I do not paste it all to save some
space , you get the idea, could be any IP )#
10.10.10.20:trusted_ips
Now I want to get an alert whenever someone logins to Windows via
remote Desktop from an IP that is not is this list. Windows logs an
EVENT ID: 528 with LOGON TYPE: 10 that suits (or seems so ) my
needs .
For this I created the following rules :
<rule id="100102" level="0">
<if_sid>18107</if_sid>
<match>Logon Type: 10</match>
<description>Remote Interactive Login (Terminal Services) </
description>
</rule>
<rule id="100103" level="10">
<if_sid>100102</if_sid>
<list field="srcip" lookup="not_address_match_key">rules/
trusted_ips</list>
<description>Alert when a user succesfully logs in from an
unapproved source IP </description>
</rule>
No matter how much I tweaked the rules around , with any combination I
could think of , the alert gets triggered .
** Alert 1322185660.134412: mail - local,syslog,
2011 Nov 25 03:47:40 (testsrv) 10.10.10.1->WinEvtLog
Rule: 100103 (level 10) -> 'Alert when a user succesfully logs in from
an unapproved source IP '
Src IP: 10.10.10.20
User: Administrator
WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator:
OLDDOM: TESTSRV: Successful Logon: User Name:
administrator Domain: TESTDOM Logon ID:
(0x0,0x2D656E) Logon Type: 10 Logon Process:
User32 Authentication Package: Negotiate Workstation
Name: TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-
f424fe653b09} Caller User Name: TESTSRV$ Caller Domain:
TESTDOM Caller Logon ID: (0x0,0x3E7) Caller
Process ID: 1688 Transited Services: - Source
Network Address: 10.10.10.20 Source Port: 49485
Ip 10.10.10.20 should not trigger the alert .
Can anyone help what am I doing wrong , or how to make this work ?
Thank you!
