Well I changes it also as you suggested just to see but again no luck... Whatever change I make to the rules , I have even tried to overwrite rule 18107 but nothing ...
Two things are what I am looking for : Event ID: 528 and whithin that event logon type: 10 Then do the lookup against that cdb list .... Whatever I do , however I try to syntax my rules , the alert triggers at both occations .I can't figure out why . Is it a Windows thingy ? But in logs coming to OSSEC I cannot see why my rules don't work ... It is pretty clear what I am looking for ...There is only one (1) event of id 528 and within that the Logon type 10.Why can't I pinpoint this ... Or maybe I can but for some reason the cdb list lookup doesn't work for windows ...and the alert gets triggered because bot 528 and logon type match at each occasion . As if the logic stops there and doesn't go further to check the IPs in across the list . I have reached a dead end :( Thank you On Dec 1, 6:42 pm, "dan (ddp)" <[email protected]> wrote: > On Wed, Nov 30, 2011 at 3:23 PM, alsdks <[email protected]> wrote: > > Hello Dan, > > > Yes I run ossec-makelists (it said it did not need to be compiled) > > > It is like this > > <list>/var/ossec/rules/trusted_ips</list> > > I don't know if this affects you since you put the full path in there, > but lists should take the chroot into account. For instance, my lists: > > <list>lists/blocked.txt.cdb</list> > <list>lists/userlist.txt.cdb</list> > > These are actually installed in /var/ossec/lists. > > I'll try to set this up later to test. > > > > > > > > > The list is not a problem as it works as expected for sshd logins . > > > In windows however as stated I get alerted no matter if the IP is or > > is not in the list. > > > Thank you > > > On Nov 28, 10:37 pm, "dan (ddp)" <[email protected]> wrote: > >> On Thu, Nov 24, 2011 at 9:14 PM, alsdks <[email protected]> wrote: > >> > Hello, > > >> > I have modified the windows event decoder as described in Daniel Cid's > >> > blog (http://dcid.me/2011/04/running-multiple-ossec-decoders-on-the- > >> > same-event/) and successfully now extract the source IP . > > >> > I have created a cdb list which looks like this: > >> > 10.10.10.1:trusted_ips > >> > 10.10.10.2:trusted_ips > >> > #....etc (from 1 to 20 that is,I do not paste it all to save some > >> > space , you get the idea, could be any IP )# > >> > 10.10.10.20:trusted_ips > > >> > Now I want to get an alert whenever someone logins to Windows via > >> > remote Desktop from an IP that is not is this list. Windows logs an > >> > EVENT ID: 528 with LOGON TYPE: 10 that suits (or seems so ) my > >> > needs . > >> > For this I created the following rules : > > >> > <rule id="100102" level="0"> > >> > <if_sid>18107</if_sid> > >> > <match>Logon Type: 10</match> > >> > <description>Remote Interactive Login (Terminal Services) </ > >> > description> > >> > </rule> > > >> > <rule id="100103" level="10"> > >> > <if_sid>100102</if_sid> > >> > <list field="srcip" lookup="not_address_match_key">rules/ > >> > trusted_ips</list> > >> > <description>Alert when a user succesfully logs in from an > >> > unapproved source IP </description> > >> > </rule> > > >> > No matter how much I tweaked the rules around , with any combination I > >> > could think of , the alert gets triggered . > > >> > ** Alert 1322185660.134412: mail - local,syslog, > >> > 2011 Nov 25 03:47:40 (testsrv) 10.10.10.1->WinEvtLog > >> > Rule: 100103 (level 10) -> 'Alert when a user succesfully logs in from > >> > an unapproved source IP ' > >> > Src IP: 10.10.10.20 > >> > User: Administrator > >> > WinEvtLog: Security: AUDIT_SUCCESS(528): Security: Administrator: > >> > OLDDOM: TESTSRV: Successful Logon: User Name: > >> > administrator Domain: TESTDOM Logon ID: > >> > (0x0,0x2D656E) Logon Type: 10 Logon Process: > >> > User32 Authentication Package: Negotiate Workstation > >> > Name: TESTSRV Logon GUID: {bd646993-43fc-8f5e-3128- > >> > f424fe653b09} Caller User Name: TESTSRV$ Caller Domain: > >> > TESTDOM Caller Logon ID: (0x0,0x3E7) Caller > >> > Process ID: 1688 Transited Services: - Source > >> > Network Address: 10.10.10.20 Source Port: 49485 > > >> > Ip 10.10.10.20 should not trigger the alert . > > >> > Can anyone help what am I doing wrong , or how to make this work ? > > >> > Thank you! > > >> It works for me. Did you run `ossec-makelists`? > >> How did you define the list in the manager's ossec.conf?
