I knew I was missing something simple, overwrite="yes".
I do vaguely remember reading about this option. Yes, it is here:
http://www.ossec.net/wiki/Know_How:Email_Alerts_below_7
Dan, your suggestion did not work. it was still preferring the 18152.
Although I took your suggestion and did the following.
<!-- We will overwrite the default rule and
-- add a check to make sure it is the same user
-->
<rule id="18152" level="10" frequency="8" timeframe="240"
overwrite="yes">
<if_matched_group>win_authentication_failed</if_matched_group>
<same_user />
<description>Possible Brute force attack against windows logins
(10 failures within 2 minutes).</description>
<group>authentication_failures,</group>
</rule>
<!-- This rule is a copy of the original 18152
-- It will capture any other multiple failed attempts at a lower
-- alert level
-->
<rule id="100300" level="8" frequency=10" timeframe="240">
<if_matched_group>win_authentication_failed</if_matched_group>
<description>Multiple Windows Logon Failures.</description>
<group>authentication_failures,</group>
</rule>
This will fire 18152 (Possible Brute force) if the user is the same,
other wise it will fire the new rule 100300.
During my testing I do see that ossec is saying the user is SYSTEM and
not user1. I see that the decoder assigns dstuser: SYSTEM, which is
the attribute for Security.
Rule: 18139 (level 5) -> 'Windows DC Logon Failure.'
User: SYSTEM
WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT
AUTHORITY: SERVER1: Pre-authentication failed: User Name: user1
User ID: %{S-1-5-21-1296043670-581226567-3024351967-8251}
Service Name: krbtgt/KEYANO.LOCAL Pre-Authentication Type: 0x0
Failure Code: 0x19 Client Address: 10.0.0.10
This means rule 100300 will never be fired, because any failed
attempts looks like it comes from the same user.
Has anyone else encountered this? I will take a look at the decoder
later today to see what is going on.
I may have to find or create a new log event for a failed logon
attempt. I have recently created a rule to ignore Pre-Authentication
fails (Failure Code: 0x18 and 0x19), since we are using windows 2003
and windows 7.
-- See:
http://www.mcbsys.com/techblog/2009/12/windows-7-causes-675-0x19-security-errors-in-windows-2003-domain/
-- See: http://www.ossec.net/wiki/Know_How:Multiple_Failures_WindowsAD
On Feb 2, 6:18 am, "dan (ddp)" <[email protected]> wrote:
> On Wed, Feb 1, 2012 at 5:02 PM, alsdks <[email protected]> wrote:
> > try that 18152 rule again in your local rules with overwrite="yes"
> > option , to overwrite the original rule and see how it goes .
>
> (WARNING: I do not know if this will work! Try it, see if it works. Or not.)
>
> Combined with the above, you could try adding your rule 100300 to
> local_rules, and copy rule 18152 with the overwrite="yes" (and no
> other changes) below it.
>
> This might move the detection order to prefer the 100300 rule over
> 18152 when the same user is involved. Might not though, I can't test
> it at the moment.
>
>
>
>
>
>
>
> > On Feb 1, 11:20 pm, tao_zhyn <[email protected]> wrote:
> >> I want to be notified if their are 10 failed logon attempts within 2
> >> minutes from the same user.
>
> >> I know that rule 18152 sends an alert when their are 10 (8) failed
> >> attempts within 2 minutes.
>
> >> From msauth_rules.xml
>
> >> <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240">
> >> <if_matched_group>win_authentication_failed</if_matched_group>
> >> <description>Multiple Windows Logon Failures.</description>
> >> <group>authentication_failures,</group>
> >> </rule>
>
> >> I have tried adding the following to my local_rules.xml
>
> >> <rule id="100300" level="10" frequency="8" timeframe="240">
> >> <if_matched_group>win_authentication_failed</if_matched_group>
> >> <same_user />
> >> <description>Possible Brute force attack against windows logins
> >> (10 failures within 2 minutes).</description>
> >> <group>authentication_failures,</group>
> >> </rule>
>
> >> When i use ossec_logtest the rule 18152 is fired, but never 100300.
>
> >> FYI: I have a file ossec_test file with 10 lines of the same bad login
> >> for testing.
>
> >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT
> >> AUTHORITY: SERVER1: Pre-authentication failed: User Name:
> >> user1 User ID: %
> >> {S-1-5-21-1296043670-581226567-3024351967-8251} Service Name:
> >> krbtgt/DOMAIN.LOCAL
> >> Pre-Authentication Type: 0x0 Failure Code: 0x19
> >> Client
> >> Address: 10.0.0.10
>
> >> ---
>
> >> I also tried the following in my local_rules.xml in the hope that it
> >> would override the one previously defined.
>
> >> <rule id="18152" level="10" frequency="8" timeframe="240">
> >> <if_matched_group>win_authentication_failed</if_matched_group>
> >> <same_user />
> >> <description>Multiple Windows Logon Failures. (Same User Test)</
> >> description>
> >> <group>authentication_failures,</group>
> >> </rule>
>
> >> When I use ossec_logtest the old rule is fired, does not have "(Same
> >> User Test)" in the description.
>
> >> --
>
> >> After some playing around I went back to my first try but modified the
> >> frequecy.
>
> >> <rule id="100300" level="10" frequency="5" timeframe="240">
> >> <if_matched_group>win_authentication_failed</if_matched_group>
> >> <same_user />
> >> <description>Possible Brute force attack against windows logins
> >> (10 failures within 2 minutes).</description>
> >> <group>authentication_failures,</group>
> >> </rule>
>
> >> This would trigger the rule. If I increased the frequency to 6 then
> >> the rule 18152 would be triggered.
>
> >> Any idea at what I am doing wrong or pointers on how to do this
> >> correctly.
>
> >> Thanks
