Log Samples:

The logs I want emailed:

OSSEC HIDS Notification.

2013 Oct 09 18:21:45

 

Received From: (Athlon) 10.1.1.11->WinEvtLog

Rule: 100032 fired (level 11) -> "Remote Desktop Connection Established"

Portion of the log(s):

 

WinEvtLog: Security: AUDIT_SUCCESS(4624):
Microsoft-Windows-Security-Auditing: razzle: MyDomain:
ATHLON.MyDomain.local: An account was successfully logged on. Subject:
Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:  0x0
Logon Type:   3  New Logon:  Security ID:
S-1-5-21-3105247609-3095833174-255621157-500  Account Name:  razzle  Account
Domain:  MyDomain  Logon ID:  0x85a0bdd3  Logon GUID:
{00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:
0x0  Process Name:  -  Network Information:  Workstation Name: BEAST  Source
Network Address: -  Source Port:  -  Detailed Authentication Information:
Logon Process:  NtLmSsp   Authentication Package: NTLM  Transited Services:
-  Package Name (NTLM only): NTLM V1  Key Length:  128  This event is
generated when a logon session is created. It is generated on the computer
that was accessed. 

 

 

 

The Email I DON'T want:

 

Received From: (Athlon) 10.1.1.11->WinEvtLog

Rule: 100032 fired (level 11) -> "Remote Desktop Connection Established"

Portion of the log(s):

 

WinEvtLog: Security: AUDIT_SUCCESS(4624):
Microsoft-Windows-Security-Auditing: ATHLON$: MyDomain:
ATHLON.MyDomain.local: An account was successfully logged on. Subject:
Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:  0x0
Logon Type:   3  New Logon:  Security ID:  S-1-5-18  Account Name:  ATHLON$
Account Domain:  MyDomain  Logon ID:  0x839f215b  Logon GUID:
{666D9506-E849-14C7-8D3A-6550AE9EE889}  Process Information:  Process ID:
0x0  Process Name:  -  Network Information:  Workstation Name:   Source
Network Address: ::1  Source Port:  0  Detailed Authentication Information:
Logon Process:  Kerberos  Authentication Package: Kerberos  Transited
Services: -  Package Name (NTLM only): -  Key Length:  0  This event is
generated when a logon session is created. It is generated on the computer
that was accessed. 

 

 

I get 10 emails a day letting me know the machine account: ATHLON$ has
logged on. 

 

 

 

From: [email protected] [mailto:[email protected]] On
Behalf Of dan (ddp)
Sent: Wednesday, October 09, 2013 7:45 PM
To: [email protected]
Subject: RE: [ossec-list] Re: RDP Alerts / msauth.xml

 


On Oct 9, 2013 7:43 PM, "Forums" <[email protected]> wrote:
>
> Currently I am using the rules in the localrules file as you see the
msauth are commented out. Both work for RDP logins however as I said I get a
lot of noise.
>

Still no log samples? Ok, good luck!

>  
>
> LocalRules.xml
>
> <!-- Filter Workstation$ Logon -->
>
>    <rule id="100031" level="0">
>
>     <if_sid>18104</if_sid>
>
>     <match>SYSTEM: NT AUTHORITY:</match>
>
>     <description>Dont Log this</description>
>
>    </rule>
>
>  
>
>   <!-- Remote Desktop Connection -->
>
>    <rule id="100032" level="11">
>
>     <if_sid>18104</if_sid>
>
>     <id>^4624|^4778|^1149</id>
>
>     <description>Remote Desktop Connection Established</description>
>
>    </rule>
>
> </group> <!-- SYSLOG,LOCAL -->
>
>  
>
> Msauth.xml
>
> <!-- Filter RDP ATHLON$
>
>   <rule id="18159" level="0">
>
>    <if_sid>18104</if_sid>
>
>    <regex>Account Name:ATHLON</regex>
>
>    <id>4624</id>
>
>    <group>authentication_success,</group>
>
>    <description>Remote access login success.</description>
>
>   </rule> -->
>
>  
>
> <!-- Filter RDP ATHLON$
>
>   <rule id="18160" level="0">
>
>    <if_sid>18105</if_sid>
>
>    <regex>Account Name:ATHLON</regex>
>
>    <id>4624</id>
>
>    <description>Windows Logon Success,</description>
>
>    <group>authentication_success,</group>
>
>   </rule> -->
>
>  
>
> <!-- RDP Access
>
>   <rule id="18161" level="8">
>
>    <if_sid>18104</if_sid>
>
>    <id>^682|^4778|^4624</id>
>
>    <description>Remote Desktop Connection Established</description>
>
>    <group>authentication_success,</group>
>
>   </rule> -->
>
> </group>
>
> <!-- EOF -->
>
>  
>
> From: [email protected] [mailto:[email protected]] On
Behalf Of dan (ddp)
> Sent: Wednesday, October 09, 2013 6:08 PM
>
> To: [email protected]
> Subject: RE: [ossec-list] Re: RDP Alerts / msauth.xml
>
>  
>
>
> On Oct 9, 2013 6:06 PM, "Forums" <[email protected]> wrote:
> >
> > Even the code below still generates the email (noise) that I don't want
to see. I want to see an actual RDP logon from another person, which is
working. What I don't want is the actual machine$ account emailing me
machine connections.
> >
>
> Perhapa if we had samples of both kinds of logs it would be easier to
help.
>
> >  
> >
> > From: [email protected] [mailto:[email protected]]
On Behalf Of Forums
> > Sent: Tuesday, October 08, 2013 9:58 AM
> > To: [email protected]
> > Subject: RE: [ossec-list] Re: RDP Alerts / msauth.xml
> >
> >  
> >
> > Does it matter that you have it in the local_rules and not the msauth?
Also are you getting the noise that I am talking about? Thanks.
> >
> >  
> >
> > From: [email protected] [mailto:[email protected]]
On Behalf Of Derek Morris
> > Sent: Tuesday, October 08, 2013 7:47 AM
> > To: [email protected]
> > Subject: [ossec-list] Re: RDP Alerts / msauth.xml
> >
> >  
> >
> > In my local_rules.xml I have these entries, not sure if they will help:
> >
> >  
> >
> >   <rule id="100888" level="11">
> >
> >     <if_sid>18104</if_sid>
> >
> >     <id>^682|^4778|^1149</id>
> >
> >     <description>Remote Desktop Connection Established</description>
> >
> >     <group>sysadmin,</group>
> >
> >   </rule>
> >
> >  
> >
> >   <rule id="100999" level="11">
> >
> >     <if_sid>18104</if_sid>
> >
> >     <id>^683|^4779</id>
> >
> >     <description>Remote Desktop Connection Disconnected</description>
> >
> >     <group>sysadmin,</group>
> >
> >   </rule>
> >
> >  
> >
> >
> > On Monday, October 7, 2013 6:24:38 PM UTC-4, Gary White wrote:
> >
> > I have edited the msauth file so that I get an email alert when I or
anyone remote desktops into my windows machine. However I get several
PCname$ alerts as well and I think I need to <match> </match> another rule
to filter the unwanted logs out? here is what I have done:
> >
> >  
> >
> >  <!-- Filter This Out -->
> >   <rule id="18159" level="1">
> >    <category>windows</category>
> >    <if_sid>18104</if_sid>
> >    <match>Athlon$</match>
> >    <description>Remote access login success.</description>
> >   </rule>
> >
> >  
> >
> >  
> >
> >  <!-- RDP Access Alert Working Fine -->
> >   <rule id="18160" level="8">
> >    <if_sid>18104</if_sid>
> >    <id>^682|^4778|^4624</id>
> >    <description>Remote Desktop Connection Established</description>
> >    <group>authentication_success</group>
> >   </rule>
> > </group>
> > <!-- EOF -->
> >
> > The 4778 event ID is for when someone has logged back into an already
established session, this works fine. What I also want is when someone logs
on creating a new RDP session (4624) however that also generates this email:
> >
> >  
> >
> >  
> >
> > OSSEC HIDS Notification.
> >
> > 2013 Oct 07 11:52:39
> >
> >  
> >
> > Received From: (Athlon) 10.1.1.11->WinEvtLog
> >
> > Rule: 18160 fired (level 8) -> "Remote Desktop Connection Established"
> >
> > Portion of the log(s):
> >
> >  
> >
> > WinEvtLog: Security: AUDIT_SUCCESS(4624):
Microsoft-Windows-Security-Auditing: ATHLON$: MYDOMAIN:
ATHLON.mydomain.local: An account was successfully logged on. Subject:
Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:  0x0
Logon Type:   3  New Logon:  Security ID:  S-1-5-18  Account Name:  ATHLON$
Account Domain:  MYDOMAIN  Logon ID:  0x839f215b  Logon GUID:
{666D9506-E849-14C7-8D3A-6550AE9EE889}  Process Information:  Process ID:
0x0  Process Name:  -  Network Information:  Workstation Name:   Source
Network Address: ::1  Source Port:  0  Detailed Authentication Information:
Logon Process:  Kerberos  Authentication Package: Kerberos  Transited
Services: -  Package Name (NTLM only): -  Key Length:  0  This event is
generated when a logon session is created. It is generated on the computer
that was accessed.
> >
> >  
> >
> > If anyone can point me in the right direction that would be great
thanks.
> >
> > -- 
> >  
> > --- 
> > You received this message because you are subscribed to the Google
Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:ossec-list%[email protected]> .
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > -- 
> >  
> > --- 
> > You received this message because you are subscribed to the Google
Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:ossec-list%[email protected]> .
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > -- 
> >  
> > --- 
> > You received this message because you are subscribed to the Google
Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:ossec-list%[email protected]> .
> > For more options, visit https://groups.google.com/groups/opt_out.
>
> -- 
>  
> --- 
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected]
<mailto:ossec-list%[email protected]> .
> For more options, visit https://groups.google.com/groups/opt_out.
>
> -- 
>  
> --- 
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected]
<mailto:ossec-list%[email protected]> .
> For more options, visit https://groups.google.com/groups/opt_out.

-- 
 
--- 
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to