On Thu, Jul 26, 2012 at 2:59 PM, Andres Felipe Mejia Sanchez
<[email protected]> wrote:
> It didn't work.. Tnks anyway..
>
Part of the problem may be the way your sample log message came
through. It looked horrible.
Not really tested:
<rule id="110005" level="1">
<if_sid>18119</if_sid>
<match>sesin: 5</match>
<description>Ignore something</description>
</rule>
> El jueves, 26 de julio de 2012 05:25:31 UTC-5, alsdks escribió:
>>
>> Hello,
>>
>> try this:
>>
>> <rule id="100001" level="0">
>> <if_sid>18107</if_sid>
>> <match>Tipo de inicio de sesin: 5</match>
>> <description>Rule to mute Logon type 5</description>
>> </rule>
>>
>> Let me know if that helps
>>
>> Cheers
>>
>> On Wednesday, July 25, 2012 11:53:03 PM UTC+3, Andres Felipe Mejia Sanchez
>> wrote:
>>>
>>> Hi.. im trying to make a windows exception rule, but i excluded
>>>
>>> 1805 rule id
>>> 528 id
>>> it works!
>>>
>>> but i also need to exclud the logon type (5). Does any body knows how to
>>> exclude by logon type?
>>>
>>> ** Alert 1343249162.804628: - windows,authentication_success, 2012 Jul 25
>>> 15:46:02 (amejia) 10.16.1.32->WinEvtLog Rule: 18107 (level 3) ->
>>> 'Windows Logon Success.' Src IP: (none) User: SERVICIO LOCAL WinEvtLog:
>>> Security: AUDIT_SUCCESS(528): Security: SERVICIO LOCAL: NT AUTHORITY:
>>> AMEJIA: Inicio de sesin realizado: Nombre de usuario:
>>> SERVICIO LOCAL
>>> Dominio: NT AUTHORITY Id. de inicio de sesin:
>>> (0x0,0x3E5)
>>> Tipo de inicio de sesin: 5 Proceso de inicio de sesin: Advapi
>>> Paquete de autenticacin: Negotiate Nombre de estacin de
>>> trabajo: GUID de inicio de sesin: -
>>>
>>>
>>>
>
