Does it matter that you have it in the local_rules and not the msauth? Also are you getting the noise that I am talking about? Thanks.
From: [email protected] [mailto:[email protected]] On Behalf Of Derek Morris Sent: Tuesday, October 08, 2013 7:47 AM To: [email protected] Subject: [ossec-list] Re: RDP Alerts / msauth.xml In my local_rules.xml I have these entries, not sure if they will help: <rule id="100888" level="11"> <if_sid>18104</if_sid> <id>^682|^4778|^1149</id> <description>Remote Desktop Connection Established</description> <group>sysadmin,</group> </rule> <rule id="100999" level="11"> <if_sid>18104</if_sid> <id>^683|^4779</id> <description>Remote Desktop Connection Disconnected</description> <group>sysadmin,</group> </rule> On Monday, October 7, 2013 6:24:38 PM UTC-4, Gary White wrote: I have edited the msauth file so that I get an email alert when I or anyone remote desktops into my windows machine. However I get several PCname$ alerts as well and I think I need to <match> </match> another rule to filter the unwanted logs out? here is what I have done: <!-- Filter This Out --> <rule id="18159" level="1"> <category>windows</category> <if_sid>18104</if_sid> <match>Athlon$</match> <description>Remote access login success.</description> </rule> <!-- RDP Access Alert Working Fine --> <rule id="18160" level="8"> <if_sid>18104</if_sid> <id>^682|^4778|^4624</id> <description>Remote Desktop Connection Established</description> <group>authentication_success</group> </rule> </group> <!-- EOF --> The 4778 event ID is for when someone has logged back into an already established session, this works fine. What I also want is when someone logs on creating a new RDP session (4624) however that also generates this email: OSSEC HIDS Notification. 2013 Oct 07 11:52:39 Received From: (Athlon) 10.1.1.11->WinEvtLog Rule: 18160 fired (level 8) -> "Remote Desktop Connection Established" Portion of the log(s): WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: ATHLON$: MYDOMAIN: ATHLON.mydomain.local: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-18 Account Name: ATHLON$ Account Domain: MYDOMAIN Logon ID: 0x839f215b Logon GUID: {666D9506-E849-14C7-8D3A-6550AE9EE889} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. If anyone can point me in the right direction that would be great thanks. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
