On Thu, Nov 1, 2012 at 4:07 PM, Tom OBrion <[email protected]> wrote:
> Here is the alert after I changed rule 18104 to level "3" from level "0".
> Prior to that this event would not trigger.
>
> ** Alert 1351792038.4533975: mail - windows,adduser,account_changed,
>
> 2012 Nov 01 17:47:18 (Tom_Win_Malware) any->WinEvtLog
>
> Rule: 18110 (level 8) -> 'User account enabled or created.'
>
> User: (no user)
>
> WinEvtLog: Security: AUDIT_SUCCESS(4722):
> Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: A
> user account was enabled. Subject: Security ID: S-1-5-21-8003351
>
> 43-1878524036-1083337731-1000 Account Name: secarch Account Domain:
> mydomain Logon ID: 0x1ab61 Target Account: Security ID:
> S-1-5-21-800335143-1878524036-1083337731-1004
>
> Account Name: Bonehead Account Domain: mydomain
>
>
I get this with 18104 at level 0 (I'm using the latest code though, no
idea what may have changed between what you're using and what I'm
using:
# cat /tmp/hhh | /var/ossec/bin/ossec-logtest
2012/11/01 16:15:21 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2012/11/01 16:15:21 ossec-testrule: INFO: Reading decoder file
etc/local_decoder.xml.
2012/11/01 16:15:21 ossec-testrule: INFO: Reading the lists file:
'lists/blocked.txt'
2012/11/01 16:15:21 ossec-testrule: INFO: Reading the lists file:
'lists/userlist.txt'
2012/11/01 16:15:21 ossec-testrule: INFO: Reading the lists file:
'lists/auser.txt'
2012/11/01 16:15:22 ossec-testrule: INFO: Started (pid: 13005).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Security: AUDIT_SUCCESS(4722):
Microsoft-Windows-Security-Auditing: (no user): no domain:
workstation: A user account was enabled. Subject: Security ID:
S-1-5-21-800335143-1878524036-1083337731-1000 Account Name: secarch
Account Domain: mydomain Logon ID: 0x1ab61 Target Account:
Security ID: S-1-5-21-800335143-1878524036-1083337731-1004 Account
Name: Bonehead Account Domain: mydomain'
hostname: 'arrakis'
program_name: '(null)'
log: 'WinEvtLog: Security: AUDIT_SUCCESS(4722):
Microsoft-Windows-Security-Auditing: (no user): no domain:
workstation: A user account was enabled. Subject: Security ID:
S-1-5-21-800335143-1878524036-1083337731-1000 Account Name: secarch
Account Domain: mydomain Logon ID: 0x1ab61 Target Account:
Security ID: S-1-5-21-800335143-1878524036-1083337731-1004 Account
Name: Bonehead Account Domain: mydomain'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '4722'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'workstation'
**Phase 3: Completed filtering (rules).
Rule id: '18110'
Level: '8'
Description: 'User account enabled or created.'
**Alert to be generated.
>
>
> On Thu, Nov 1, 2012 at 2:50 PM, dan (ddp) <[email protected]> wrote:
>>
>> On Thu, Nov 1, 2012 at 2:48 PM, Tom OBrion <[email protected]> wrote:
>> > I am somewhat new to OSSEC so be nice, PLEASE! :)
>> >
>> > I am not quite understanding why a ID: 4720 would not hit my alert log
>> > based
>> > on the below rules. As soon as I change rule id 18104's alert level to
>> > something other than 0 she alerts. I was under the impression that the
>> > if_sid statement is true it continues into the rule. So based on the
>> > windows security event. the audit was a success and category is windows
>> > it
>> > should have triggered based on these rules. Like I said as soon as I
>> > change
>> > the 18104 rule to lets say level 4 she worked. Let me know if you need
>> > additional information, but is there someplace else I need to look or
>> > maybe
>> > I missing something? THANKS..
>> >
>> > NOTE: A 4720 is user account was created and was a success. Keywords:
>> > Audit Success
>> >
>> >
>> > <rule id="18100" level="0">
>> > <category>windows</category>
>> > <description>Group of windows rules.</description>
>> > </rule>
>> >
>> > <rule id="18104" level="0">
>> > <if_sid>18100</if_sid>
>> > <status>^AUDIT_SUCCESS|^success</status>
>> > <description>Windows audit success event.</description>
>> > </rule>
>> >
>> > <rule id="18110" level="8">
>> > <if_sid>18104</if_sid>
>> > <id>^624|^626|^645|^4720|^4722|^4741</id>
>> > <description>User account enabled or created.</description>
>> > <group>adduser,account_changed,</group>
>> > </rule>
>> >
>> >
>> > --
>> > Tom O'Brion
>> > Twitter: @tobrion
>> >
>> > "Life is too short to spend time with people who suck the happy out of
>> > you."
>> >
>>
>> Can you provide a log sample? And what worked? You got a 18110 alert?
>
>
>
>
> --
> Tom O'Brion
> Twitter: @tobrion
> Skype: TomOBrion
>
> "Life is too short to spend time with people who suck the happy out of you."
>
