try that 18152 rule again in your local rules with overwrite="yes" option , to overwrite the original rule and see how it goes .
On Feb 1, 11:20 pm, tao_zhyn <[email protected]> wrote: > I want to be notified if their are 10 failed logon attempts within 2 > minutes from the same user. > > I know that rule 18152 sends an alert when their are 10 (8) failed > attempts within 2 minutes. > > From msauth_rules.xml > > <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240"> > <if_matched_group>win_authentication_failed</if_matched_group> > <description>Multiple Windows Logon Failures.</description> > <group>authentication_failures,</group> > </rule> > > I have tried adding the following to my local_rules.xml > > <rule id="100300" level="10" frequency="8" timeframe="240"> > <if_matched_group>win_authentication_failed</if_matched_group> > <same_user /> > <description>Possible Brute force attack against windows logins > (10 failures within 2 minutes).</description> > <group>authentication_failures,</group> > </rule> > > When i use ossec_logtest the rule 18152 is fired, but never 100300. > > FYI: I have a file ossec_test file with 10 lines of the same bad login > for testing. > > WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT > AUTHORITY: SERVER1: Pre-authentication failed: User Name: > user1 User ID: % > {S-1-5-21-1296043670-581226567-3024351967-8251} Service Name: > krbtgt/DOMAIN.LOCAL > Pre-Authentication Type: 0x0 Failure Code: 0x19 Client > Address: 10.0.0.10 > > --- > > I also tried the following in my local_rules.xml in the hope that it > would override the one previously defined. > > <rule id="18152" level="10" frequency="8" timeframe="240"> > <if_matched_group>win_authentication_failed</if_matched_group> > <same_user /> > <description>Multiple Windows Logon Failures. (Same User Test)</ > description> > <group>authentication_failures,</group> > </rule> > > When I use ossec_logtest the old rule is fired, does not have "(Same > User Test)" in the description. > > -- > > After some playing around I went back to my first try but modified the > frequecy. > > <rule id="100300" level="10" frequency="5" timeframe="240"> > <if_matched_group>win_authentication_failed</if_matched_group> > <same_user /> > <description>Possible Brute force attack against windows logins > (10 failures within 2 minutes).</description> > <group>authentication_failures,</group> > </rule> > > This would trigger the rule. If I increased the frequency to 6 then > the rule 18152 would be triggered. > > Any idea at what I am doing wrong or pointers on how to do this > correctly. > > Thanks
