On Wed, Nov 30, 2011 at 3:23 PM, alsdks <[email protected]> wrote:
> Hello Dan,
>
> Yes I run ossec-makelists (it said it did not need to be compiled)
>
> It is like this
> <list>/var/ossec/rules/trusted_ips</list>
>
I don't know if this affects you since you put the full path in there,
but lists should take the chroot into account. For instance, my lists:
<list>lists/blocked.txt.cdb</list>
<list>lists/userlist.txt.cdb</list>
These are actually installed in /var/ossec/lists.
I'll try to set this up later to test.
> The list is not a problem as it works as expected for sshd logins .
>
> In windows however as stated I get alerted no matter if the IP is or
> is not in the list.
>
> Thank you
>
> On Nov 28, 10:37 pm, "dan (ddp)" <[email protected]> wrote:
>> On Thu, Nov 24, 2011 at 9:14 PM, alsdks <[email protected]> wrote:
>> > Hello,
>>
>> > I have modified the windows event decoder as described in Daniel Cid's
>> > blog (http://dcid.me/2011/04/running-multiple-ossec-decoders-on-the-
>> > same-event/) and successfully now extract the source IP .
>>
>> > I have created a cdb list which looks like this:
>> > 10.10.10.1:trusted_ips
>> > 10.10.10.2:trusted_ips
>> > #....etc (from 1 to 20 that is,I do not paste it all to save some
>> > space , you get the idea, could be any IP )#
>> > 10.10.10.20:trusted_ips
>>
>> > Now I want to get an alert whenever someone logins to Windows via
>> > remote Desktop from an IP that is not is this list. Windows logs an
>> > EVENT ID: 528 with LOGON TYPE: 10 that suits (or seems so ) my
>> > needs .
>> > For this I created the following rules :
>>
>> > <rule id="100102" level="0">
>> > <if_sid>18107</if_sid>
>> > <match>Logon Type: 10</match>
>> > <description>Remote Interactive Login (Terminal Services) </
>> > description>
>> > </rule>
>>
>> > <rule id="100103" level="10">
>> > <if_sid>100102</if_sid>
>> > <list field="srcip" lookup="not_address_match_key">rules/
>> > trusted_ips</list>
>> > <description>Alert when a user succesfully logs in from an
>> > unapproved source IP </description>
>> > </rule>
>>
>> > No matter how much I tweaked the rules around , with any combination I
>> > could think of , the alert gets triggered .
>>
>> > ** Alert 1322185660.134412: mail - local,syslog,
>> > 2011 Nov 25 03:47:40 (testsrv) 10.10.10.1->WinEvtLog
>> > Rule: 100103 (level 10) -> 'Alert when a user succesfully logs in from
>> > an unapproved source IP '
>> > Src IP: 10.10.10.20
>> > User: Administrator
>> > WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator:
>> > OLDDOM: TESTSRV: Successful Logon: User Name:
>> > administrator Domain: TESTDOM Logon ID:
>> > (0x0,0x2D656E) Logon Type: 10 Logon Process:
>> > User32 Authentication Package: Negotiate Workstation
>> > Name: TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128-
>> > f424fe653b09} Caller User Name: TESTSRV$ Caller Domain:
>> > TESTDOM Caller Logon ID: (0x0,0x3E7) Caller
>> > Process ID: 1688 Transited Services: - Source
>> > Network Address: 10.10.10.20 Source Port: 49485
>>
>> > Ip 10.10.10.20 should not trigger the alert .
>>
>> > Can anyone help what am I doing wrong , or how to make this work ?
>>
>> > Thank you!
>>
>> It works for me. Did you run `ossec-makelists`?
>> How did you define the list in the manager's ossec.conf?
