Loaded up 2.7 rc1 this AM and all works good. Thanks for help.
On Fri, Nov 2, 2012 at 8:14 AM, dan (ddp) <[email protected]> wrote: > On Thu, Nov 1, 2012 at 5:22 PM, Tom OBrion <[email protected]> wrote: > > I am at 2.5.1 on this box, I will test at home with 2.7.2 at home and > check > > the rules. Thanks. > > > > Tom > > > > That's not even close to current. 2.7rc1 was just posted, it'd be worth a > shot. > > > On Nov 1, 2012 4:17 PM, "dan (ddp)" <[email protected]> wrote: > >> > >> On Thu, Nov 1, 2012 at 4:07 PM, Tom OBrion <[email protected]> wrote: > >> > Here is the alert after I changed rule 18104 to level "3" from level > >> > "0". > >> > Prior to that this event would not trigger. > >> > > >> > ** Alert 1351792038.4533975: mail - windows,adduser,account_changed, > >> > > >> > 2012 Nov 01 17:47:18 (Tom_Win_Malware) any->WinEvtLog > >> > > >> > Rule: 18110 (level 8) -> 'User account enabled or created.' > >> > > >> > User: (no user) > >> > > >> > WinEvtLog: Security: AUDIT_SUCCESS(4722): > >> > Microsoft-Windows-Security-Auditing: (no user): no domain: > workstation: > >> > A > >> > user account was enabled. Subject: Security ID: S-1-5-21-8003351 > >> > > >> > 43-1878524036-1083337731-1000 Account Name: secarch Account Domain: > >> > mydomain Logon ID: 0x1ab61 Target Account: Security ID: > >> > S-1-5-21-800335143-1878524036-1083337731-1004 > >> > > >> > Account Name: Bonehead Account Domain: mydomain > >> > > >> > > >> > >> I get this with 18104 at level 0 (I'm using the latest code though, no > >> idea what may have changed between what you're using and what I'm > >> using: > >> > >> # cat /tmp/hhh | /var/ossec/bin/ossec-logtest > >> 2012/11/01 16:15:21 ossec-testrule: INFO: Reading decoder file > >> etc/decoder.xml. > >> 2012/11/01 16:15:21 ossec-testrule: INFO: Reading decoder file > >> etc/local_decoder.xml. > >> 2012/11/01 16:15:21 ossec-testrule: INFO: Reading the lists file: > >> 'lists/blocked.txt' > >> 2012/11/01 16:15:21 ossec-testrule: INFO: Reading the lists file: > >> 'lists/userlist.txt' > >> 2012/11/01 16:15:21 ossec-testrule: INFO: Reading the lists file: > >> 'lists/auser.txt' > >> 2012/11/01 16:15:22 ossec-testrule: INFO: Started (pid: 13005). > >> ossec-testrule: Type one log per line. > >> > >> > >> > >> **Phase 1: Completed pre-decoding. > >> full event: 'WinEvtLog: Security: AUDIT_SUCCESS(4722): > >> Microsoft-Windows-Security-Auditing: (no user): no domain: > >> workstation: A user account was enabled. Subject: Security ID: > >> S-1-5-21-800335143-1878524036-1083337731-1000 Account Name: secarch > >> Account Domain: mydomain Logon ID: 0x1ab61 Target Account: > >> Security ID: S-1-5-21-800335143-1878524036-1083337731-1004 Account > >> Name: Bonehead Account Domain: mydomain' > >> hostname: 'arrakis' > >> program_name: '(null)' > >> log: 'WinEvtLog: Security: AUDIT_SUCCESS(4722): > >> Microsoft-Windows-Security-Auditing: (no user): no domain: > >> workstation: A user account was enabled. Subject: Security ID: > >> S-1-5-21-800335143-1878524036-1083337731-1000 Account Name: secarch > >> Account Domain: mydomain Logon ID: 0x1ab61 Target Account: > >> Security ID: S-1-5-21-800335143-1878524036-1083337731-1004 Account > >> Name: Bonehead Account Domain: mydomain' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'windows' > >> status: 'AUDIT_SUCCESS' > >> id: '4722' > >> extra_data: 'Microsoft-Windows-Security-Auditing' > >> dstuser: '(no user)' > >> system_name: 'workstation' > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '18110' > >> Level: '8' > >> Description: 'User account enabled or created.' > >> **Alert to be generated. > >> > >> > >> > > >> > > >> > On Thu, Nov 1, 2012 at 2:50 PM, dan (ddp) <[email protected]> wrote: > >> >> > >> >> On Thu, Nov 1, 2012 at 2:48 PM, Tom OBrion <[email protected]> > wrote: > >> >> > I am somewhat new to OSSEC so be nice, PLEASE! :) > >> >> > > >> >> > I am not quite understanding why a ID: 4720 would not hit my alert > >> >> > log > >> >> > based > >> >> > on the below rules. As soon as I change rule id 18104's alert > level > >> >> > to > >> >> > something other than 0 she alerts. I was under the impression that > >> >> > the > >> >> > if_sid statement is true it continues into the rule. So based on > the > >> >> > windows security event. the audit was a success and category is > >> >> > windows > >> >> > it > >> >> > should have triggered based on these rules. Like I said as soon > as I > >> >> > change > >> >> > the 18104 rule to lets say level 4 she worked. Let me know if you > >> >> > need > >> >> > additional information, but is there someplace else I need to look > or > >> >> > maybe > >> >> > I missing something? THANKS.. > >> >> > > >> >> > NOTE: A 4720 is user account was created and was a success. > >> >> > Keywords: > >> >> > Audit Success > >> >> > > >> >> > > >> >> > <rule id="18100" level="0"> > >> >> > <category>windows</category> > >> >> > <description>Group of windows rules.</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="18104" level="0"> > >> >> > <if_sid>18100</if_sid> > >> >> > <status>^AUDIT_SUCCESS|^success</status> > >> >> > <description>Windows audit success event.</description> > >> >> > </rule> > >> >> > > >> >> > <rule id="18110" level="8"> > >> >> > <if_sid>18104</if_sid> > >> >> > <id>^624|^626|^645|^4720|^4722|^4741</id> > >> >> > <description>User account enabled or created.</description> > >> >> > <group>adduser,account_changed,</group> > >> >> > </rule> > >> >> > > >> >> > > >> >> > -- > >> >> > Tom O'Brion > >> >> > Twitter: @tobrion > >> >> > > >> >> > "Life is too short to spend time with people who suck the happy out > >> >> > of > >> >> > you." > >> >> > > >> >> > >> >> Can you provide a log sample? And what worked? You got a 18110 alert? > >> > > >> > > >> > > >> > > >> > -- > >> > Tom O'Brion > >> > Twitter: @tobrion > >> > Skype: TomOBrion > >> > > >> > "Life is too short to spend time with people who suck the happy out of > >> > you." > >> > > -- Tom O'Brion Twitter: @tobrion Skype: TomOBrion "Life is too short to spend time with people who suck the happy out of you."
