Hello. did not work too.. but tnks for your time.. i really apreciate it. other question:
Can i use multiples <match> inside a single <rule> ?? <rule> <match>1 <match>2 ?? El jueves, 26 de julio de 2012 14:18:58 UTC-5, dan (ddpbsd) escribió: > > On Thu, Jul 26, 2012 at 2:59 PM, Andres Felipe Mejia Sanchez > <[email protected]> wrote: > > It didn't work.. Tnks anyway.. > > > > Part of the problem may be the way your sample log message came > through. It looked horrible. > > Not really tested: > <rule id="110005" level="1"> > <if_sid>18119</if_sid> > <match>sesin: 5</match> > <description>Ignore something</description> > </rule> > > > > El jueves, 26 de julio de 2012 05:25:31 UTC-5, alsdks escribió: > >> > >> Hello, > >> > >> try this: > >> > >> <rule id="100001" level="0"> > >> <if_sid>18107</if_sid> > >> <match>Tipo de inicio de sesin: 5</match> > >> <description>Rule to mute Logon type 5</description> > >> </rule> > >> > >> Let me know if that helps > >> > >> Cheers > >> > >> On Wednesday, July 25, 2012 11:53:03 PM UTC+3, Andres Felipe Mejia > Sanchez > >> wrote: > >>> > >>> Hi.. im trying to make a windows exception rule, but i excluded > >>> > >>> 1805 rule id > >>> 528 id > >>> it works! > >>> > >>> but i also need to exclud the logon type (5). Does any body knows how > to > >>> exclude by logon type? > >>> > >>> ** Alert 1343249162.804628: - windows,authentication_success, 2012 Jul > 25 > >>> 15:46:02 (amejia) 10.16.1.32->WinEvtLog Rule: 18107 (level 3) -> > >>> 'Windows Logon Success.' Src IP: (none) User: SERVICIO LOCAL > WinEvtLog: > >>> Security: AUDIT_SUCCESS(528): Security: SERVICIO LOCAL: NT AUTHORITY: > >>> AMEJIA: Inicio de sesin realizado: Nombre de usuario: > SERVICIO LOCAL > >>> Dominio: NT AUTHORITY Id. de inicio de > sesin: (0x0,0x3E5) > >>> Tipo de inicio de sesin: 5 Proceso de inicio de > sesin: Advapi > >>> Paquete de autenticacin: Negotiate Nombre de > estacin de > >>> trabajo: GUID de inicio de sesin: - > >>> > >>> > >>> > > >
