On Thu, Nov 1, 2012 at 5:22 PM, Tom OBrion <[email protected]> wrote: > I am at 2.5.1 on this box, I will test at home with 2.7.2 at home and check > the rules. Thanks. > > Tom >
That's not even close to current. 2.7rc1 was just posted, it'd be worth a shot. > On Nov 1, 2012 4:17 PM, "dan (ddp)" <[email protected]> wrote: >> >> On Thu, Nov 1, 2012 at 4:07 PM, Tom OBrion <[email protected]> wrote: >> > Here is the alert after I changed rule 18104 to level "3" from level >> > "0". >> > Prior to that this event would not trigger. >> > >> > ** Alert 1351792038.4533975: mail - windows,adduser,account_changed, >> > >> > 2012 Nov 01 17:47:18 (Tom_Win_Malware) any->WinEvtLog >> > >> > Rule: 18110 (level 8) -> 'User account enabled or created.' >> > >> > User: (no user) >> > >> > WinEvtLog: Security: AUDIT_SUCCESS(4722): >> > Microsoft-Windows-Security-Auditing: (no user): no domain: workstation: >> > A >> > user account was enabled. Subject: Security ID: S-1-5-21-8003351 >> > >> > 43-1878524036-1083337731-1000 Account Name: secarch Account Domain: >> > mydomain Logon ID: 0x1ab61 Target Account: Security ID: >> > S-1-5-21-800335143-1878524036-1083337731-1004 >> > >> > Account Name: Bonehead Account Domain: mydomain >> > >> > >> >> I get this with 18104 at level 0 (I'm using the latest code though, no >> idea what may have changed between what you're using and what I'm >> using: >> >> # cat /tmp/hhh | /var/ossec/bin/ossec-logtest >> 2012/11/01 16:15:21 ossec-testrule: INFO: Reading decoder file >> etc/decoder.xml. >> 2012/11/01 16:15:21 ossec-testrule: INFO: Reading decoder file >> etc/local_decoder.xml. >> 2012/11/01 16:15:21 ossec-testrule: INFO: Reading the lists file: >> 'lists/blocked.txt' >> 2012/11/01 16:15:21 ossec-testrule: INFO: Reading the lists file: >> 'lists/userlist.txt' >> 2012/11/01 16:15:21 ossec-testrule: INFO: Reading the lists file: >> 'lists/auser.txt' >> 2012/11/01 16:15:22 ossec-testrule: INFO: Started (pid: 13005). >> ossec-testrule: Type one log per line. >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'WinEvtLog: Security: AUDIT_SUCCESS(4722): >> Microsoft-Windows-Security-Auditing: (no user): no domain: >> workstation: A user account was enabled. Subject: Security ID: >> S-1-5-21-800335143-1878524036-1083337731-1000 Account Name: secarch >> Account Domain: mydomain Logon ID: 0x1ab61 Target Account: >> Security ID: S-1-5-21-800335143-1878524036-1083337731-1004 Account >> Name: Bonehead Account Domain: mydomain' >> hostname: 'arrakis' >> program_name: '(null)' >> log: 'WinEvtLog: Security: AUDIT_SUCCESS(4722): >> Microsoft-Windows-Security-Auditing: (no user): no domain: >> workstation: A user account was enabled. Subject: Security ID: >> S-1-5-21-800335143-1878524036-1083337731-1000 Account Name: secarch >> Account Domain: mydomain Logon ID: 0x1ab61 Target Account: >> Security ID: S-1-5-21-800335143-1878524036-1083337731-1004 Account >> Name: Bonehead Account Domain: mydomain' >> >> **Phase 2: Completed decoding. >> decoder: 'windows' >> status: 'AUDIT_SUCCESS' >> id: '4722' >> extra_data: 'Microsoft-Windows-Security-Auditing' >> dstuser: '(no user)' >> system_name: 'workstation' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '18110' >> Level: '8' >> Description: 'User account enabled or created.' >> **Alert to be generated. >> >> >> > >> > >> > On Thu, Nov 1, 2012 at 2:50 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> On Thu, Nov 1, 2012 at 2:48 PM, Tom OBrion <[email protected]> wrote: >> >> > I am somewhat new to OSSEC so be nice, PLEASE! :) >> >> > >> >> > I am not quite understanding why a ID: 4720 would not hit my alert >> >> > log >> >> > based >> >> > on the below rules. As soon as I change rule id 18104's alert level >> >> > to >> >> > something other than 0 she alerts. I was under the impression that >> >> > the >> >> > if_sid statement is true it continues into the rule. So based on the >> >> > windows security event. the audit was a success and category is >> >> > windows >> >> > it >> >> > should have triggered based on these rules. Like I said as soon as I >> >> > change >> >> > the 18104 rule to lets say level 4 she worked. Let me know if you >> >> > need >> >> > additional information, but is there someplace else I need to look or >> >> > maybe >> >> > I missing something? THANKS.. >> >> > >> >> > NOTE: A 4720 is user account was created and was a success. >> >> > Keywords: >> >> > Audit Success >> >> > >> >> > >> >> > <rule id="18100" level="0"> >> >> > <category>windows</category> >> >> > <description>Group of windows rules.</description> >> >> > </rule> >> >> > >> >> > <rule id="18104" level="0"> >> >> > <if_sid>18100</if_sid> >> >> > <status>^AUDIT_SUCCESS|^success</status> >> >> > <description>Windows audit success event.</description> >> >> > </rule> >> >> > >> >> > <rule id="18110" level="8"> >> >> > <if_sid>18104</if_sid> >> >> > <id>^624|^626|^645|^4720|^4722|^4741</id> >> >> > <description>User account enabled or created.</description> >> >> > <group>adduser,account_changed,</group> >> >> > </rule> >> >> > >> >> > >> >> > -- >> >> > Tom O'Brion >> >> > Twitter: @tobrion >> >> > >> >> > "Life is too short to spend time with people who suck the happy out >> >> > of >> >> > you." >> >> > >> >> >> >> Can you provide a log sample? And what worked? You got a 18110 alert? >> > >> > >> > >> > >> > -- >> > Tom O'Brion >> > Twitter: @tobrion >> > Skype: TomOBrion >> > >> > "Life is too short to spend time with people who suck the happy out of >> > you." >> >
