Re: [ossec-list] Windows Event: Extract source IP,cdb list and alert

Mon, 28 Nov 2011 12:38:44 -0800 

On Thu, Nov 24, 2011 at 9:14 PM, alsdks <[email protected]> wrote:
> Hello,
>
> I have modified the windows event decoder as described in Daniel Cid's
> blog (http://dcid.me/2011/04/running-multiple-ossec-decoders-on-the-
> same-event/) and successfully now extract the source IP .
>
> I have created a cdb list which looks like this:
> 10.10.10.1:trusted_ips
> 10.10.10.2:trusted_ips
>  #....etc (from 1 to 20 that is,I do not paste it all to save some
> space , you get the idea,  could be any IP )#
> 10.10.10.20:trusted_ips
>
> Now I want to get an alert whenever someone logins to Windows via
> remote Desktop from an IP that is not is this list. Windows logs an
> EVENT ID: 528 with LOGON TYPE: 10  that suits (or seems so ) my
> needs .
> For this I created the following rules :
>
> <rule id="100102" level="0">
>   <if_sid>18107</if_sid>
>   <match>Logon Type: 10</match>
>   <description>Remote Interactive Login (Terminal Services) </
> description>
> </rule>
>
> <rule id="100103" level="10">
>   <if_sid>100102</if_sid>
>   <list field="srcip" lookup="not_address_match_key">rules/
> trusted_ips</list>
>   <description>Alert when a user succesfully logs in from an
> unapproved source IP </description>
> </rule>
>
>
> No matter how much I tweaked the rules around , with any combination I
> could think of , the alert gets triggered .
>
> ** Alert 1322185660.134412: mail  - local,syslog,
> 2011 Nov 25 03:47:40 (testsrv) 10.10.10.1->WinEvtLog
> Rule: 100103 (level 10) -> 'Alert when a user succesfully logs in from
> an unapproved source IP '
> Src IP: 10.10.10.20
> User: Administrator
> WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator:
> OLDDOM: TESTSRV: Successful Logon:      User Name:
> administrator        Domain:         TESTDOM          Logon ID:
> (0x0,0x2D656E)          Logon Type: 10          Logon Process:
> User32           Authentication Package: Negotiate       Workstation
> Name: TESTSRV         Logon GUID: {bd646993-43fc-8f5e-3128-
> f424fe653b09}      Caller User Name: TESTSRV$        Caller Domain:
> TESTDOM           Caller Logon ID: (0x0,0x3E7)            Caller
> Process ID: 1688         Transited Services: -           Source
> Network Address: 10.10.10.20     Source Port: 49485
>
>
> Ip 10.10.10.20 should not trigger the alert .
>
> Can anyone help  what am I doing wrong , or how to make this work ?
>
> Thank you!
>

It works for me. Did you run `ossec-makelists`?
How did you define the list in the manager's ossec.conf?

Reply via email to