On Fri, Mar 16, 2012 at 7:22 AM, Frank Devlin <[email protected]> wrote: > I have been receiving alerts from a Windows 2008 server for rule 18152 > (multiple logon failures) and I was wondering why the server was not using > active response to blackhole the source IP. I found a few responses on here > stating that rule 18152 does not pull the source IP from the log files and > that a custom decoder was needed to do so. I tried, and failed, so I am > seeking any help that someone can give. > > Here is the sanitized alert: > > WinEvtLog: Security: AUDIT_FAILURE(4625): > Microsoft-Windows-Security-Auditing: (no user): no domain: System01: An > account failed to log on. Subject: Security ID: S-1-5-18 Account Name: > System01$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 10 > Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: test > Account Domain: System01 Failure Information: Failure Reason: %%2313 > Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller > Process ID: 0x2f4 Caller Process Name: C:\Windows\System32\winlogon.exe > Network Information: Workstation Name: System01 Source Network Address: > 111.222.333.444 Source Port: 1234 Detailed Authentication Information: > Logon Process: User32 Authentication Package: Negotiate Transited > Services: - Package Name (NTLM only): - Key Length: 0 This event is > generated when a logon request fails. It is generated on the computer where > access was attempted. > > Here is the closest I have made it using a custom decoder: > > <decoder name="windows"> > <type>windows</type> > <prematch>^WinEvtLog: </prematch> > <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex> > <regex>(\.+): \.+: (\S+): \.+: \.+: \.+: \.+: \.+: \.+: \.+: </regex> > <regex> \.+: \.+: \.+: \.+: \.+: \.+: \.+: \.+: (\.+): \.+: (\.+):</regex>
None of the information in the log message is static enough that you can replace some of the "\.+" entries with, say, "Source Network Address:"? Trying to decode this mess to try and help you is going to give me nightmares. > <order>status, id, extra_data, user, system_name, srcip, srcip2 </order> > <fts>name, location, user, system_name, srcip, srcip2</fts> > </decoder> > > When I test this using the ossec-logtest program, this is the response: > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_FAILURE' > id: '4625' > extra_data: 'Microsoft-Windows-Security-Auditing' > dstuser: '(no user)' > system_name: 'web01' > srcip: ' Caller Process ID' > srcip: 'C' > > **Phase 3: Completed filtering (rules). > Rule id: '18106' > Level: '5' > Description: 'Windows Logon Failure.' > **Alert to be generated. > > And after testing it multiple times, I get the 18152 rule: > > **Phase 3: Completed filtering (rules). > Rule id: '18152' > Level: '10' > Description: 'Multiple Windows Logon Failures.' > **Alert to be generated. > > I used srcip2 to see where the decoder was failing at. It appears that it is > failing at the windows path "C:\Windows\System32\winlogon.exe". I can get it > to read the C, but I cannot get it to get past that section in the decoder. > If I use the standard "\.+:" to skip to the next : (colon), it changes the > decoding to this: > > **Phase 2: Completed decoding. > decoder: 'windows' > > **Phase 3: Completed filtering (rules). > Rule id: '18100' > Level: '0' > Description: 'Group of windows rules.' > > Any ideas on how to write a decoder and pull the source IP address from that > event? > > Frank
