Hello Dan, Yes I run ossec-makelists (it said it did not need to be compiled)
It is like this <list>/var/ossec/rules/trusted_ips</list> The list is not a problem as it works as expected for sshd logins . In windows however as stated I get alerted no matter if the IP is or is not in the list. Thank you On Nov 28, 10:37 pm, "dan (ddp)" <[email protected]> wrote: > On Thu, Nov 24, 2011 at 9:14 PM, alsdks <[email protected]> wrote: > > Hello, > > > I have modified the windows event decoder as described in Daniel Cid's > > blog (http://dcid.me/2011/04/running-multiple-ossec-decoders-on-the- > > same-event/) and successfully now extract the source IP . > > > I have created a cdb list which looks like this: > > 10.10.10.1:trusted_ips > > 10.10.10.2:trusted_ips > > #....etc (from 1 to 20 that is,I do not paste it all to save some > > space , you get the idea, could be any IP )# > > 10.10.10.20:trusted_ips > > > Now I want to get an alert whenever someone logins to Windows via > > remote Desktop from an IP that is not is this list. Windows logs an > > EVENT ID: 528 with LOGON TYPE: 10 that suits (or seems so ) my > > needs . > > For this I created the following rules : > > > <rule id="100102" level="0"> > > <if_sid>18107</if_sid> > > <match>Logon Type: 10</match> > > <description>Remote Interactive Login (Terminal Services) </ > > description> > > </rule> > > > <rule id="100103" level="10"> > > <if_sid>100102</if_sid> > > <list field="srcip" lookup="not_address_match_key">rules/ > > trusted_ips</list> > > <description>Alert when a user succesfully logs in from an > > unapproved source IP </description> > > </rule> > > > No matter how much I tweaked the rules around , with any combination I > > could think of , the alert gets triggered . > > > ** Alert 1322185660.134412: mail - local,syslog, > > 2011 Nov 25 03:47:40 (testsrv) 10.10.10.1->WinEvtLog > > Rule: 100103 (level 10) -> 'Alert when a user succesfully logs in from > > an unapproved source IP ' > > Src IP: 10.10.10.20 > > User: Administrator > > WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator: > > OLDDOM: TESTSRV: Successful Logon: User Name: > > administrator Domain: TESTDOM Logon ID: > > (0x0,0x2D656E) Logon Type: 10 Logon Process: > > User32 Authentication Package: Negotiate Workstation > > Name: TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128- > > f424fe653b09} Caller User Name: TESTSRV$ Caller Domain: > > TESTDOM Caller Logon ID: (0x0,0x3E7) Caller > > Process ID: 1688 Transited Services: - Source > > Network Address: 10.10.10.20 Source Port: 49485 > > > Ip 10.10.10.20 should not trigger the alert . > > > Can anyone help what am I doing wrong , or how to make this work ? > > > Thank you! > > It works for me. Did you run `ossec-makelists`? > How did you define the list in the manager's ossec.conf?
