On Thu, Feb 2, 2012 at 10:57 AM, tao_zhyn <[email protected]> wrote:
> I knew I was missing something simple, overwrite="yes".
> I do vaguely remember reading about this option. Yes, it is here:
> http://www.ossec.net/wiki/Know_How:Email_Alerts_below_7
>
> Dan, your suggestion did not work. it was still preferring the 18152.
> Although I took your suggestion and did the following.
>
> <!-- We will overwrite the default rule and
> -- add a check to make sure it is the same user
> -->
> <rule id="18152" level="10" frequency="8" timeframe="240"
> overwrite="yes">
> <if_matched_group>win_authentication_failed</if_matched_group>
> <same_user />
> <description>Possible Brute force attack against windows logins
> (10 failures within 2 minutes).</description>
> <group>authentication_failures,</group>
> </rule>
>
>
> <!-- This rule is a copy of the original 18152
> -- It will capture any other multiple failed attempts at a lower
> -- alert level
> -->
> <rule id="100300" level="8" frequency=10" timeframe="240">
> <if_matched_group>win_authentication_failed</if_matched_group>
> <description>Multiple Windows Logon Failures.</description>
> <group>authentication_failures,</group>
> </rule>
>
> This will fire 18152 (Possible Brute force) if the user is the same,
> other wise it will fire the new rule 100300.
>
>
> During my testing I do see that ossec is saying the user is SYSTEM and
> not user1. I see that the decoder assigns dstuser: SYSTEM, which is
> the attribute for Security.
>
I vaguely remember some decoder work being done (or talked about). So
check the hg repo to see if it's the same, might save you some work.
> Rule: 18139 (level 5) -> 'Windows DC Logon Failure.'
> User: SYSTEM
> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT
> AUTHORITY: SERVER1: Pre-authentication failed: User Name: user1
> User ID: %{S-1-5-21-1296043670-581226567-3024351967-8251}
> Service Name: krbtgt/KEYANO.LOCAL Pre-Authentication Type: 0x0
> Failure Code: 0x19 Client Address: 10.0.0.10
>
> This means rule 100300 will never be fired, because any failed
> attempts looks like it comes from the same user.
>
> Has anyone else encountered this? I will take a look at the decoder
> later today to see what is going on.
>
> I may have to find or create a new log event for a failed logon
> attempt. I have recently created a rule to ignore Pre-Authentication
> fails (Failure Code: 0x18 and 0x19), since we are using windows 2003
> and windows 7.
> -- See:
> http://www.mcbsys.com/techblog/2009/12/windows-7-causes-675-0x19-security-errors-in-windows-2003-domain/
> -- See: http://www.ossec.net/wiki/Know_How:Multiple_Failures_WindowsAD
>
>
>
> On Feb 2, 6:18 am, "dan (ddp)" <[email protected]> wrote:
>> On Wed, Feb 1, 2012 at 5:02 PM, alsdks <[email protected]> wrote:
>> > try that 18152 rule again in your local rules with overwrite="yes"
>> > option , to overwrite the original rule and see how it goes .
>>
>> (WARNING: I do not know if this will work! Try it, see if it works. Or not.)
>>
>> Combined with the above, you could try adding your rule 100300 to
>> local_rules, and copy rule 18152 with the overwrite="yes" (and no
>> other changes) below it.
>>
>> This might move the detection order to prefer the 100300 rule over
>> 18152 when the same user is involved. Might not though, I can't test
>> it at the moment.
>>
>>
>>
>>
>>
>>
>>
>> > On Feb 1, 11:20 pm, tao_zhyn <[email protected]> wrote:
>> >> I want to be notified if their are 10 failed logon attempts within 2
>> >> minutes from the same user.
>>
>> >> I know that rule 18152 sends an alert when their are 10 (8) failed
>> >> attempts within 2 minutes.
>>
>> >> From msauth_rules.xml
>>
>> >> <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240">
>> >> <if_matched_group>win_authentication_failed</if_matched_group>
>> >> <description>Multiple Windows Logon Failures.</description>
>> >> <group>authentication_failures,</group>
>> >> </rule>
>>
>> >> I have tried adding the following to my local_rules.xml
>>
>> >> <rule id="100300" level="10" frequency="8" timeframe="240">
>> >> <if_matched_group>win_authentication_failed</if_matched_group>
>> >> <same_user />
>> >> <description>Possible Brute force attack against windows logins
>> >> (10 failures within 2 minutes).</description>
>> >> <group>authentication_failures,</group>
>> >> </rule>
>>
>> >> When i use ossec_logtest the rule 18152 is fired, but never 100300.
>>
>> >> FYI: I have a file ossec_test file with 10 lines of the same bad login
>> >> for testing.
>>
>> >> WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT
>> >> AUTHORITY: SERVER1: Pre-authentication failed: User Name:
>> >> user1 User ID: %
>> >> {S-1-5-21-1296043670-581226567-3024351967-8251} Service Name:
>> >> krbtgt/DOMAIN.LOCAL
>> >> Pre-Authentication Type: 0x0 Failure Code: 0x19
>> >> Client
>> >> Address: 10.0.0.10
>>
>> >> ---
>>
>> >> I also tried the following in my local_rules.xml in the hope that it
>> >> would override the one previously defined.
>>
>> >> <rule id="18152" level="10" frequency="8" timeframe="240">
>> >> <if_matched_group>win_authentication_failed</if_matched_group>
>> >> <same_user />
>> >> <description>Multiple Windows Logon Failures. (Same User Test)</
>> >> description>
>> >> <group>authentication_failures,</group>
>> >> </rule>
>>
>> >> When I use ossec_logtest the old rule is fired, does not have "(Same
>> >> User Test)" in the description.
>>
>> >> --
>>
>> >> After some playing around I went back to my first try but modified the
>> >> frequecy.
>>
>> >> <rule id="100300" level="10" frequency="5" timeframe="240">
>> >> <if_matched_group>win_authentication_failed</if_matched_group>
>> >> <same_user />
>> >> <description>Possible Brute force attack against windows logins
>> >> (10 failures within 2 minutes).</description>
>> >> <group>authentication_failures,</group>
>> >> </rule>
>>
>> >> This would trigger the rule. If I increased the frequency to 6 then
>> >> the rule 18152 would be triggered.
>>
>> >> Any idea at what I am doing wrong or pointers on how to do this
>> >> correctly.
>>
>> >> Thanks
