I am at 2.5.1 on this box, I will test at home with 2.7.2 at home and check the rules. Thanks.
Tom On Nov 1, 2012 4:17 PM, "dan (ddp)" <[email protected]> wrote: > On Thu, Nov 1, 2012 at 4:07 PM, Tom OBrion <[email protected]> wrote: > > Here is the alert after I changed rule 18104 to level "3" from level "0". > > Prior to that this event would not trigger. > > > > ** Alert 1351792038.4533975: mail - windows,adduser,account_changed, > > > > 2012 Nov 01 17:47:18 (Tom_Win_Malware) any->WinEvtLog > > > > Rule: 18110 (level 8) -> 'User account enabled or created.' > > > > User: (no user) > > > > WinEvtLog: Security: AUDIT_SUCCESS(4722): > > Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: A > > user account was enabled. Subject: Security ID: S-1-5-21-8003351 > > > > 43-1878524036-1083337731-1000 Account Name: secarch Account Domain: > > mydomain Logon ID: 0x1ab61 Target Account: Security ID: > > S-1-5-21-800335143-1878524036-1083337731-1004 > > > > Account Name: Bonehead Account Domain: mydomain > > > > > > I get this with 18104 at level 0 (I'm using the latest code though, no > idea what may have changed between what you're using and what I'm > using: > > # cat /tmp/hhh | /var/ossec/bin/ossec-logtest > 2012/11/01 16:15:21 ossec-testrule: INFO: Reading decoder file > etc/decoder.xml. > 2012/11/01 16:15:21 ossec-testrule: INFO: Reading decoder file > etc/local_decoder.xml. > 2012/11/01 16:15:21 ossec-testrule: INFO: Reading the lists file: > 'lists/blocked.txt' > 2012/11/01 16:15:21 ossec-testrule: INFO: Reading the lists file: > 'lists/userlist.txt' > 2012/11/01 16:15:21 ossec-testrule: INFO: Reading the lists file: > 'lists/auser.txt' > 2012/11/01 16:15:22 ossec-testrule: INFO: Started (pid: 13005). > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > full event: 'WinEvtLog: Security: AUDIT_SUCCESS(4722): > Microsoft-Windows-Security-Auditing: (no user): no domain: > workstation: A user account was enabled. Subject: Security ID: > S-1-5-21-800335143-1878524036-1083337731-1000 Account Name: secarch > Account Domain: mydomain Logon ID: 0x1ab61 Target Account: > Security ID: S-1-5-21-800335143-1878524036-1083337731-1004 Account > Name: Bonehead Account Domain: mydomain' > hostname: 'arrakis' > program_name: '(null)' > log: 'WinEvtLog: Security: AUDIT_SUCCESS(4722): > Microsoft-Windows-Security-Auditing: (no user): no domain: > workstation: A user account was enabled. Subject: Security ID: > S-1-5-21-800335143-1878524036-1083337731-1000 Account Name: secarch > Account Domain: mydomain Logon ID: 0x1ab61 Target Account: > Security ID: S-1-5-21-800335143-1878524036-1083337731-1004 Account > Name: Bonehead Account Domain: mydomain' > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_SUCCESS' > id: '4722' > extra_data: 'Microsoft-Windows-Security-Auditing' > dstuser: '(no user)' > system_name: 'workstation' > > **Phase 3: Completed filtering (rules). > Rule id: '18110' > Level: '8' > Description: 'User account enabled or created.' > **Alert to be generated. > > > > > > > > On Thu, Nov 1, 2012 at 2:50 PM, dan (ddp) <[email protected]> wrote: > >> > >> On Thu, Nov 1, 2012 at 2:48 PM, Tom OBrion <[email protected]> wrote: > >> > I am somewhat new to OSSEC so be nice, PLEASE! :) > >> > > >> > I am not quite understanding why a ID: 4720 would not hit my alert log > >> > based > >> > on the below rules. As soon as I change rule id 18104's alert level > to > >> > something other than 0 she alerts. I was under the impression that > the > >> > if_sid statement is true it continues into the rule. So based on the > >> > windows security event. the audit was a success and category is > windows > >> > it > >> > should have triggered based on these rules. Like I said as soon as I > >> > change > >> > the 18104 rule to lets say level 4 she worked. Let me know if you > need > >> > additional information, but is there someplace else I need to look or > >> > maybe > >> > I missing something? THANKS.. > >> > > >> > NOTE: A 4720 is user account was created and was a success. > Keywords: > >> > Audit Success > >> > > >> > > >> > <rule id="18100" level="0"> > >> > <category>windows</category> > >> > <description>Group of windows rules.</description> > >> > </rule> > >> > > >> > <rule id="18104" level="0"> > >> > <if_sid>18100</if_sid> > >> > <status>^AUDIT_SUCCESS|^success</status> > >> > <description>Windows audit success event.</description> > >> > </rule> > >> > > >> > <rule id="18110" level="8"> > >> > <if_sid>18104</if_sid> > >> > <id>^624|^626|^645|^4720|^4722|^4741</id> > >> > <description>User account enabled or created.</description> > >> > <group>adduser,account_changed,</group> > >> > </rule> > >> > > >> > > >> > -- > >> > Tom O'Brion > >> > Twitter: @tobrion > >> > > >> > "Life is too short to spend time with people who suck the happy out of > >> > you." > >> > > >> > >> Can you provide a log sample? And what worked? You got a 18110 alert? > > > > > > > > > > -- > > Tom O'Brion > > Twitter: @tobrion > > Skype: TomOBrion > > > > "Life is too short to spend time with people who suck the happy out of > you." > > >
