[ossec-list] Overriding composite rule (18152)

Wed, 01 Feb 2012 13:26:38 -0800 

I want to be notified if their are 10 failed logon attempts within 2
minutes from the same user.

I know that rule 18152 sends an alert when their are 10 (8) failed
attempts within 2 minutes.

>From msauth_rules.xml

<rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240">
     <if_matched_group>win_authentication_failed</if_matched_group>
     <description>Multiple Windows Logon Failures.</description>
     <group>authentication_failures,</group>
</rule>


I have tried adding the following to my local_rules.xml

<rule id="100300" level="10" frequency="8" timeframe="240">
    <if_matched_group>win_authentication_failed</if_matched_group>
    <same_user />
    <description>Possible Brute force attack against windows logins
(10 failures within 2 minutes).</description>
    <group>authentication_failures,</group>
</rule>


When i use ossec_logtest the rule 18152 is fired, but never 100300.

FYI: I have a file ossec_test file with 10 lines of the same bad login
for testing.

WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT
AUTHORITY: SERVER1: Pre-authentication failed:          User Name:
 user1          User ID:        %
{S-1-5-21-1296043670-581226567-3024351967-8251}         Service Name:
krbtgt/DOMAIN.LOCAL
        Pre-Authentication Type: 0x0            Failure Code: 0x19      Client
Address: 10.0.0.10


---

I also tried the following in my local_rules.xml in the hope that it
would override the one previously defined.

<rule id="18152" level="10" frequency="8" timeframe="240">
     <if_matched_group>win_authentication_failed</if_matched_group>
     <same_user />
     <description>Multiple Windows Logon Failures. (Same User Test)</
description>
     <group>authentication_failures,</group>
</rule>

When I use ossec_logtest the old rule is fired, does not have "(Same
User Test)" in the description.


--

After some playing around I went back to my first try but modified the
frequecy.

<rule id="100300" level="10" frequency="5" timeframe="240">
    <if_matched_group>win_authentication_failed</if_matched_group>
    <same_user />
    <description>Possible Brute force attack against windows logins
(10 failures within 2 minutes).</description>
    <group>authentication_failures,</group>
</rule>

This would trigger the rule.  If I increased the frequency to 6 then
the rule 18152 would be triggered.


Any idea at what I am doing wrong or pointers on how to do this
correctly.

Thanks

Reply via email to