Hello ossec experts,
1. I have installed ossec-hids-2.6-16.el5 and few days ago, I started
to write some rules to better match with our network and today,
realized that for w2k8 ... predefined rules and also actual ossec
decoders are not working ...
Where I can find rules to work with windows 2008 server or how can I
have correct decoded alerts for Windows 2008 OS? I don't want to
reinvent the wheel and write all rules for this OS ... How other
people solved this problem?
2. Can somebody tell me why above event (generated by w2k8 server) is
not decoded and still match Rule 1002 ...?!
Oct 30 08:15:44 sftp microsoft-windows-security-auditing[success] 4663
An attempt was made to access an object.#177#177Subject:#177Security
ID:#177S-1-5-21-489666841-2110797398-591752945-1274#177Account
Name:ionel#177Account Domain:SENSITIVE#177Logon
ID:0x182f97bc3#177#177Object:#177Object Server:Security#177Object
Type:File#177Object
Name:#177\Device\TrueCryptVolumeK\Transfer\out\213\errors.txt#177Handle
ID:0x84c#177#177Process Information:#177Process ID:0x4#177Process
Name:#177#177Access Request Information:#177Accesses:
DELETE#177#177Access Mask:0x10000
3. Why adding below rule into local_rules.xml file ... matching event
id 4663 will not work ...? Is still matching with Rule 1002!
<rule id="100360" level="12">
<if_sid>18100</if_sid>
<id>^4663</id>
<description>An attempt was made to access an object -
custom</description>
</rule>
How to correct above rule to better match with event 4663 and work for
w2k8 OS?
I want to mention that other rules declared in local_rules.xml file
are working without problems!
Regards,
Alx
-------------------------------------------------
2012 - Make an informed choice http://www.isidewith.com/
Sponsored by VFEmail.net - http://www.vfemail.net
$14.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
