Quoting "dan (ddp)" <[email protected]>:
On Tue, Oct 30, 2012 at 10:08 AM, <[email protected]> wrote:
2. Can somebody tell me why above event (generated by w2k8 server) is not
decoded and still match Rule 1002 ...?!
Oct 30 08:15:44 sftp microsoft-windows-security-auditing[success] 4663 An
attempt was made to access an object.#177#177Subject:#177Security
ID:#177S-1-5-21-489666841-2110797398-591752945-1274#177Account
Name:ionel#177Account Domain:SENSITIVE#177Logon
ID:0x182f97bc3#177#177Object:#177Object Server:Security#177Object
Type:File#177Object
Name:#177\Device\TrueCryptVolumeK\Transfer\out\213\errors.txt#177Handle
ID:0x84c#177#177Process Information:#177Process ID:0x4#177Process
Name:#177#177Access Request Information:#177Accesses: DELETE#177#177Access
Mask:0x10000
Not being decoded and matching rule 1002 may be different issues. What
should this decode as? How did you get this log message into the OSSEC
server (ossec agent, snare, ??)?
I am getting this message from our windows 2008 server (we are using
rsyslog on linux central server to collect it)
3. Why adding below rule into local_rules.xml file ... matching event id
4663 will not work ...? Is still matching with Rule 1002!
<rule id="100360" level="12">
<if_sid>18100</if_sid>
If it's matching sid 1002, why did you tell the rule to look for
events matching 18100?
Just tried 18100 considering that it should be translated in: "if is
windows operating system" ... do something!
<id>^4663</id>
and here tried to match eventid 4663 ...
So, my question is: is windows 2008 events supported in ossec-2.6?
If no, when is planned to be supported in a stable ossec release?
Regards,
Alx
-------------------------------------------------
2012 - Make an informed choice http://www.isidewith.com/
Sponsored by VFEmail.net - http://www.vfemail.net
$14.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
