RE: [ossec-list] Re: RDP Alerts / msauth.xml

Forums Thu, 10 Oct 2013 18:11:04 -0700

Ossec.log:

2013/10/10 08:24:53 ossec-maild: INFO: Started (pid: 30039).
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading local decoder file.
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'rules_config.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'pam_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'sshd_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'telnetd_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'syslog_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'arpwatch_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'symantec-av_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'symantec-ws_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'pix_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'named_rules.xml'
2013/10/10 08:24:53 ossec-remoted: INFO: Started (pid: 30055).
2013/10/10 08:24:53 ossec-remoted(1501): ERROR: No IP or network allowed in
the access list for syslog. No reason for running it. Exiting.
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'smbd_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'vsftpd_rules.xml'
2013/10/10 08:24:53 ossec-remoted: INFO: Started (pid: 30057).
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'pure-ftpd_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'proftpd_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'ms_ftpd_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'ftpd_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'hordeimp_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'roundcube_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'wordpress_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'cimserver_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'vpopmail_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'vmpop3d_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'courier_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'web_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'apache_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'nginx_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'php_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'mysql_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'postgresql_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'ids_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'squid_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'firewall_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'cisco-ios_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'netscreenfw_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'sonicwall_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'postfix_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'sendmail_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'imapd_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'mailscanner_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'dovecot_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'ms-exchange_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'racoon_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'vpn_concentrator_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'spamd_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'msauth_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'mcafee_av_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'trend-osce_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'ms-se_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'zeus_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'solaris_bsm_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'vmware_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'ms_dhcp_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'asterisk_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'ossec_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'attack_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Reading rules file:
'local_rules.xml'
2013/10/10 08:24:53 ossec-analysisd: INFO: Total rules enabled: '1032'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file:
'/etc/mail/statistics'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file:
'/etc/svc/volatile'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file:
'/Data/GarysStuff/PST'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file:
'/Data/GarysStuff/Pictures'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file:
'/Data/GarysStuff/Documents/Quicken'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/System32/LogFiles'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Debug'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/WindowsUpdate.log'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/iis6.log'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/wbem/Logs'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/wbem/Repository'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/Prefetch'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/SoftwareDistribution'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/config'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/spool'
2013/10/10 08:24:53 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/CatRoot'
2013/10/10 08:24:53 ossec-analysisd: INFO: White listing IP: '127.0.0.1'
2013/10/10 08:24:53 ossec-analysisd: INFO: White listing IP: '10.1.1.5'
2013/10/10 08:24:53 ossec-analysisd: INFO: 2 IPs in the white list for
active response.
2013/10/10 08:24:53 ossec-analysisd: INFO: White listing Hostname:
'localhost.localdomain'
2013/10/10 08:24:53 ossec-analysisd: INFO: 1 Hostname(s) in the white list
for active response.
2013/10/10 08:24:53 ossec-analysisd: INFO: Started (pid: 30047).
2013/10/10 08:24:54 ossec-remoted(4111): INFO: Maximum number of agents
allowed: '256'.
2013/10/10 08:24:54 ossec-remoted(1410): INFO: Reading authentication keys
file.
2013/10/10 08:24:54 ossec-remoted: INFO: Assigning counter for agent Fedora:
'176:1009'.
2013/10/10 08:24:54 ossec-remoted: INFO: Assigning counter for agent Athlon:
'105:8676'.
2013/10/10 08:24:54 ossec-remoted: INFO: Assigning counter for agent DC:
'105:3760'.
2013/10/10 08:24:54 ossec-monitord: INFO: Started (pid: 30067).
2013/10/10 08:24:54 ossec-remoted: INFO: Assigning counter for agent mail:
'38:2156'.
2013/10/10 08:24:54 ossec-remoted: INFO: Assigning sender counter: 78:1444
2013/10/10 08:24:56 ossec-analysisd: INFO: Connected to '/queue/alerts/ar'
(active-response queue)
2013/10/10 08:24:56 ossec-analysisd: INFO: Connected to
'/queue/alerts/execq' (exec queue)
2013/10/10 08:24:58 ossec-syscheckd: INFO: Started (pid: 30063).
2013/10/10 08:24:58 ossec-rootcheck: INFO: Started (pid: 30063).
2013/10/10 08:24:58 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2013/10/10 08:24:58 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2013/10/10 08:24:58 ossec-syscheckd: INFO: Monitoring directory:
'/usr/sbin'.
2013/10/10 08:24:58 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2013/10/10 08:24:58 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2013/10/10 08:24:58 ossec-syscheckd: INFO: Monitoring directory: '/Data'.
2013/10/10 08:24:58 ossec-syscheckd: INFO: Directory set for real time
monitoring: '/Data'.
2013/10/10 08:24:59 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/messages'.
2013/10/10 08:24:59 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/secure'.
2013/10/10 08:24:59 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/xferlog'.
2013/10/10 08:24:59 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/proftpd.log'.
2013/10/10 08:24:59 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/maillog'.
2013/10/10 08:24:59 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/httpd/error_log'.
2013/10/10 08:24:59 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/httpd/access_log'.
2013/10/10 08:24:59 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/hosts/10.1.1.1'.
2013/10/10 08:24:59 ossec-logcollector: INFO: Started (pid: 30051).
2013/10/10 08:25:30 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2013/10/10 08:29:13 ossec-syscheckd: INFO: Initializing real time file
monitoring (not started).
2013/10/10 17:04:18 ossec-maild: INFO: Started (pid: 3412).
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading local decoder file.
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'rules_config.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'pam_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'sshd_rules.xml'
2013/10/10 17:04:18 ossec-execd: INFO: Started (pid: 3416).
2013/10/10 17:04:18 ossec-remoted: INFO: Started (pid: 3428).
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'telnetd_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'syslog_rules.xml'
2013/10/10 17:04:18 ossec-remoted(1501): ERROR: No IP or network allowed in
the access list for syslog. No reason for running it. Exiting.
2013/10/10 17:04:18 ossec-remoted: INFO: Started (pid: 3432).
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'arpwatch_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'symantec-av_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'symantec-ws_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'pix_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'named_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'smbd_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'vsftpd_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'pure-ftpd_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'proftpd_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'ms_ftpd_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'ftpd_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'hordeimp_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'roundcube_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'wordpress_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'cimserver_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'vpopmail_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'vmpop3d_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'courier_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'web_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'apache_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'nginx_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'php_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'mysql_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'postgresql_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'ids_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'squid_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'firewall_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'cisco-ios_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'netscreenfw_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'sonicwall_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'postfix_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'sendmail_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'imapd_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'mailscanner_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'dovecot_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'ms-exchange_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'racoon_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'vpn_concentrator_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'spamd_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'msauth_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'mcafee_av_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'trend-osce_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'ms-se_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'zeus_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'solaris_bsm_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'vmware_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'ms_dhcp_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'asterisk_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'ossec_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'attack_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Reading rules file:
'local_rules.xml'
2013/10/10 17:04:18 ossec-analysisd: INFO: Total rules enabled: '1032'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file: '/etc/mtab'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file: '/etc/mnttab'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file: '/etc/hosts.deny'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file:
'/etc/mail/statistics'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file: '/etc/random-seed'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file: '/etc/adjtime'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/logs'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file: '/etc/cups/certs'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file: '/etc/dumpdates'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file:
'/etc/svc/volatile'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file:
'/Data/GarysStuff/PST'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file:
'/Data/GarysStuff/Pictures'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file:
'/Data/GarysStuff/Documents/Quicken'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/System32/LogFiles'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Debug'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/WindowsUpdate.log'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/iis6.log'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/wbem/Logs'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/wbem/Repository'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/Prefetch'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/PCHEALTH/HELPCTR/DataColl'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/SoftwareDistribution'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/Temp'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/config'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/spool'
2013/10/10 17:04:18 ossec-analysisd: INFO: Ignoring file:
'C:\WINDOWS/system32/CatRoot'
2013/10/10 17:04:18 ossec-analysisd: INFO: White listing IP: '127.0.0.1'
2013/10/10 17:04:18 ossec-analysisd: INFO: White listing IP: '10.1.1.5'
2013/10/10 17:04:18 ossec-analysisd: INFO: 2 IPs in the white list for
active response.
2013/10/10 17:04:18 ossec-analysisd: INFO: White listing Hostname:
'localhost.localdomain'
2013/10/10 17:04:18 ossec-analysisd: INFO: 1 Hostname(s) in the white list
for active response.
2013/10/10 17:04:18 ossec-analysisd: INFO: Started (pid: 3420).
2013/10/10 17:04:18 ossec-remoted(4111): INFO: Maximum number of agents
allowed: '256'.
2013/10/10 17:04:18 ossec-remoted(1410): INFO: Reading authentication keys
file.
2013/10/10 17:04:18 ossec-remoted: INFO: Assigning counter for agent Fedora:
'176:1009'.
2013/10/10 17:04:18 ossec-remoted: INFO: Assigning counter for agent Athlon:
'105:8676'.
2013/10/10 17:04:18 ossec-remoted: INFO: Assigning counter for agent DC:
'105:4096'.
2013/10/10 17:04:18 ossec-remoted: INFO: Assigning counter for agent mail:
'38:2156'.
2013/10/10 17:04:18 ossec-remoted: INFO: Assigning sender counter: 78:1467
2013/10/10 17:04:19 ossec-monitord: INFO: Started (pid: 3443).
2013/10/10 17:04:21 ossec-analysisd: INFO: Connected to '/queue/alerts/ar'
(active-response queue)
2013/10/10 17:04:21 ossec-analysisd: INFO: Connected to
'/queue/alerts/execq' (exec queue)
2013/10/10 17:04:23 ossec-syscheckd: INFO: Started (pid: 3439).
2013/10/10 17:04:23 ossec-rootcheck: INFO: Started (pid: 3439).
2013/10/10 17:04:23 ossec-syscheckd: INFO: Monitoring directory: '/etc'.
2013/10/10 17:04:23 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'.
2013/10/10 17:04:23 ossec-syscheckd: INFO: Monitoring directory:
'/usr/sbin'.
2013/10/10 17:04:23 ossec-syscheckd: INFO: Monitoring directory: '/bin'.
2013/10/10 17:04:23 ossec-syscheckd: INFO: Monitoring directory: '/sbin'.
2013/10/10 17:04:23 ossec-syscheckd: INFO: Monitoring directory: '/Data'.
2013/10/10 17:04:23 ossec-syscheckd: INFO: Directory set for real time
monitoring: '/Data'.
2013/10/10 17:04:24 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/messages'.
2013/10/10 17:04:24 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/secure'.
2013/10/10 17:04:24 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/xferlog'.
2013/10/10 17:04:24 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/proftpd.log'.
2013/10/10 17:04:24 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/maillog'.
2013/10/10 17:04:24 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/httpd/error_log'.
2013/10/10 17:04:24 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/httpd/access_log'.
2013/10/10 17:04:24 ossec-logcollector(1950): INFO: Analyzing file:
'/var/log/hosts/10.1.1.1'.
2013/10/10 17:04:24 ossec-logcollector: INFO: Started (pid: 3424).
2013/10/10 17:04:55 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2013/10/10 17:09:06 ossec-syscheckd: INFO: Initializing real time file
monitoring (not started).
2013/10/10 18:04:05 ossec-syscheckd: INFO: Finished creating syscheck
database (pre-scan completed).
2013/10/10 18:06:05 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).
2013/10/10 19:02:22 ossec-syscheckd: INFO: Ending syscheck scan (forwarding
database).
2013/10/10 19:02:42 ossec-syscheckd: INFO: Starting real time file
monitoring.
2013/10/10 19:02:42 ossec-rootcheck: INFO: Starting rootcheck scan.
2013/10/10 19:07:50 ossec-rootcheck: INFO: Ending rootcheck scan.
2013/10/10 19:24:06 ossec-execd: INFO: Active response command not present:
'/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this
system.
2013/10/10 19:24:06 ossec-ex


-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of dan (ddp)
Sent: Thursday, October 10, 2013 10:19 AM
To: [email protected]
Subject: Re: [ossec-list] Re: RDP Alerts / msauth.xml

On Wed, Oct 9, 2013 at 8:01 PM, Forums <[email protected]> wrote:
> Log Samples:
>
> The logs I want emailed:
>
> OSSEC HIDS Notification.
>
> 2013 Oct 09 18:21:45
>
>
>
> Received From: (Athlon) 10.1.1.11->WinEvtLog
>
> Rule: 100032 fired (level 11) -> "Remote Desktop Connection Established"
>
> Portion of the log(s):
>
>
>
> WinEvtLog: Security: AUDIT_SUCCESS(4624):
> Microsoft-Windows-Security-Auditing: razzle: MyDomain:
> ATHLON.MyDomain.local: An account was successfully logged on. Subject:
> Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:
0x0
> Logon Type:   3  New Logon:  Security ID:
> S-1-5-21-3105247609-3095833174-255621157-500  Account Name:  razzle  
> Account
> Domain:  MyDomain  Logon ID:  0x85a0bdd3  Logon GUID:
> {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:
> 0x0  Process Name:  -  Network Information:  Workstation Name: BEAST  
> Source Network Address: -  Source Port:  -  Detailed Authentication
Information:
> Logon Process:  NtLmSsp   Authentication Package: NTLM  Transited
Services:
> -  Package Name (NTLM only): NTLM V1  Key Length:  128  This event is 
> generated when a logon session is created. It is generated on the 
> computer that was accessed.
>
>
>
>
>
>
>
> The Email I DON'T want:
>
>
>
> Received From: (Athlon) 10.1.1.11->WinEvtLog
>
> Rule: 100032 fired (level 11) -> "Remote Desktop Connection Established"
>
> Portion of the log(s):
>
>
>
> WinEvtLog: Security: AUDIT_SUCCESS(4624):
> Microsoft-Windows-Security-Auditing: ATHLON$: MyDomain:
> ATHLON.MyDomain.local: An account was successfully logged on. Subject:
> Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:
0x0
> Logon Type:   3  New Logon:  Security ID:  S-1-5-18  Account Name:
ATHLON$
> Account Domain:  MyDomain  Logon ID:  0x839f215b  Logon GUID:
> {666D9506-E849-14C7-8D3A-6550AE9EE889}  Process Information:  Process ID:
> 0x0  Process Name:  -  Network Information:  Workstation Name:   Source
> Network Address: ::1  Source Port:  0  Detailed Authentication
Information:
> Logon Process:  Kerberos  Authentication Package: Kerberos  Transited
> Services: -  Package Name (NTLM only): -  Key Length:  0  This event 
> is generated when a logon session is created. It is generated on the 
> computer that was accessed.
>


These logs do not match 18104 for me. I'm not sure what is different between
my setup and yours.

Looking back at previous rules you've posted, I noticed that they contain
nonsensical things like:
<regex>Account Name:ATHLON</regex>

First, there's no regex in that atement. Second, there are spaces in the log
message between "Name:" and "ATHLON." Those spaces should be represented
here.
Try cleaning up the rules a bit, and use the proper spacing. See if that
helps.

>
>
>
>
> I get 10 emails a day letting me know the machine account: ATHLON$ has 
> logged on.
>
>
>
>
>
>
>
> From: [email protected] [mailto:[email protected]] 
> On Behalf Of dan (ddp)
> Sent: Wednesday, October 09, 2013 7:45 PM
>
>
> To: [email protected]
> Subject: RE: [ossec-list] Re: RDP Alerts / msauth.xml
>
>
>
>
> On Oct 9, 2013 7:43 PM, "Forums" <[email protected]> wrote:
>>
>> Currently I am using the rules in the localrules file as you see the 
>> msauth are commented out. Both work for RDP logins however as I said 
>> I get a lot of noise.
>>
>
> Still no log samples? Ok, good luck!
>
>>
>>
>> LocalRules.xml
>>
>> <!-- Filter Workstation$ Logon -->
>>
>>    <rule id="100031" level="0">
>>
>>     <if_sid>18104</if_sid>
>>
>>     <match>SYSTEM: NT AUTHORITY:</match>
>>
>>     <description>Dont Log this</description>
>>
>>    </rule>
>>
>>
>>
>>   <!-- Remote Desktop Connection -->
>>
>>    <rule id="100032" level="11">
>>
>>     <if_sid>18104</if_sid>
>>
>>     <id>^4624|^4778|^1149</id>
>>
>>     <description>Remote Desktop Connection Established</description>
>>
>>    </rule>
>>
>> </group> <!-- SYSLOG,LOCAL -->
>>
>>
>>
>> Msauth.xml
>>
>> <!-- Filter RDP ATHLON$
>>
>>   <rule id="18159" level="0">
>>
>>    <if_sid>18104</if_sid>
>>
>>    <regex>Account Name:ATHLON</regex>
>>
>>    <id>4624</id>
>>
>>    <group>authentication_success,</group>
>>
>>    <description>Remote access login success.</description>
>>
>>   </rule> -->
>>
>>
>>
>> <!-- Filter RDP ATHLON$
>>
>>   <rule id="18160" level="0">
>>
>>    <if_sid>18105</if_sid>
>>
>>    <regex>Account Name:ATHLON</regex>
>>
>>    <id>4624</id>
>>
>>    <description>Windows Logon Success,</description>
>>
>>    <group>authentication_success,</group>
>>
>>   </rule> -->
>>
>>
>>
>> <!-- RDP Access
>>
>>   <rule id="18161" level="8">
>>
>>    <if_sid>18104</if_sid>
>>
>>    <id>^682|^4778|^4624</id>
>>
>>    <description>Remote Desktop Connection Established</description>
>>
>>    <group>authentication_success,</group>
>>
>>   </rule> -->
>>
>> </group>
>>
>> <!-- EOF -->
>>
>>
>>
>> From: [email protected] 
>> [mailto:[email protected]] On Behalf Of dan (ddp)
>> Sent: Wednesday, October 09, 2013 6:08 PM
>>
>> To: [email protected]
>> Subject: RE: [ossec-list] Re: RDP Alerts / msauth.xml
>>
>>
>>
>>
>> On Oct 9, 2013 6:06 PM, "Forums" <[email protected]> wrote:
>> >
>> > Even the code below still generates the email (noise) that I don't 
>> > want to see. I want to see an actual RDP logon from another person, 
>> > which is working. What I don't want is the actual machine$ account 
>> > emailing me machine connections.
>> >
>>
>> Perhapa if we had samples of both kinds of logs it would be easier to 
>> help.
>>
>> >
>> >
>> > From: [email protected] 
>> > [mailto:[email protected]]
>> > On Behalf Of Forums
>> > Sent: Tuesday, October 08, 2013 9:58 AM
>> > To: [email protected]
>> > Subject: RE: [ossec-list] Re: RDP Alerts / msauth.xml
>> >
>> >
>> >
>> > Does it matter that you have it in the local_rules and not the msauth?
>> > Also are you getting the noise that I am talking about? Thanks.
>> >
>> >
>> >
>> > From: [email protected] 
>> > [mailto:[email protected]]
>> > On Behalf Of Derek Morris
>> > Sent: Tuesday, October 08, 2013 7:47 AM
>> > To: [email protected]
>> > Subject: [ossec-list] Re: RDP Alerts / msauth.xml
>> >
>> >
>> >
>> > In my local_rules.xml I have these entries, not sure if they will help:
>> >
>> >
>> >
>> >   <rule id="100888" level="11">
>> >
>> >     <if_sid>18104</if_sid>
>> >
>> >     <id>^682|^4778|^1149</id>
>> >
>> >     <description>Remote Desktop Connection 
>> > Established</description>
>> >
>> >     <group>sysadmin,</group>
>> >
>> >   </rule>
>> >
>> >
>> >
>> >   <rule id="100999" level="11">
>> >
>> >     <if_sid>18104</if_sid>
>> >
>> >     <id>^683|^4779</id>
>> >
>> >     <description>Remote Desktop Connection 
>> > Disconnected</description>
>> >
>> >     <group>sysadmin,</group>
>> >
>> >   </rule>
>> >
>> >
>> >
>> >
>> > On Monday, October 7, 2013 6:24:38 PM UTC-4, Gary White wrote:
>> >
>> > I have edited the msauth file so that I get an email alert when I 
>> > or anyone remote desktops into my windows machine. However I get 
>> > several PCname$ alerts as well and I think I need to <match> 
>> > </match> another rule to filter the unwanted logs out? here is what I
have done:
>> >
>> >
>> >
>> >  <!-- Filter This Out -->
>> >   <rule id="18159" level="1">
>> >    <category>windows</category>
>> >    <if_sid>18104</if_sid>
>> >    <match>Athlon$</match>
>> >    <description>Remote access login success.</description>
>> >   </rule>
>> >
>> >
>> >
>> >
>> >
>> >  <!-- RDP Access Alert Working Fine -->
>> >   <rule id="18160" level="8">
>> >    <if_sid>18104</if_sid>
>> >    <id>^682|^4778|^4624</id>
>> >    <description>Remote Desktop Connection Established</description>
>> >    <group>authentication_success</group>
>> >   </rule>
>> > </group>
>> > <!-- EOF -->
>> >
>> > The 4778 event ID is for when someone has logged back into an 
>> > already established session, this works fine. What I also want is 
>> > when someone logs on creating a new RDP session (4624) however that
also generates this email:
>> >
>> >
>> >
>> >
>> >
>> > OSSEC HIDS Notification.
>> >
>> > 2013 Oct 07 11:52:39
>> >
>> >
>> >
>> > Received From: (Athlon) 10.1.1.11->WinEvtLog
>> >
>> > Rule: 18160 fired (level 8) -> "Remote Desktop Connection Established"
>> >
>> > Portion of the log(s):
>> >
>> >
>> >
>> > WinEvtLog: Security: AUDIT_SUCCESS(4624):
>> > Microsoft-Windows-Security-Auditing: ATHLON$: MYDOMAIN:
>> > ATHLON.mydomain.local: An account was successfully logged on. Subject:
>> > Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:
0x0
>> > Logon Type:   3  New Logon:  Security ID:  S-1-5-18  Account Name:
ATHLON$
>> > Account Domain:  MYDOMAIN  Logon ID:  0x839f215b  Logon GUID:
>> > {666D9506-E849-14C7-8D3A-6550AE9EE889}  Process Information:  Process
ID:
>> > 0x0  Process Name:  -  Network Information:  Workstation Name:   Source
>> > Network Address: ::1  Source Port:  0  Detailed Authentication
Information:
>> > Logon Process:  Kerberos  Authentication Package: Kerberos  
>> > Transited
>> > Services: -  Package Name (NTLM only): -  Key Length:  0  This 
>> > event is generated when a logon session is created. It is generated 
>> > on the computer that was accessed.
>> >
>> >
>> >
>> > If anyone can point me in the right direction that would be great 
>> > thanks.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google 
>> > Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, 
>> > send an email to [email protected].
>> > For more options, visit https://groups.google.com/groups/opt_out.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google 
>> > Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, 
>> > send an email to [email protected].
>> > For more options, visit https://groups.google.com/groups/opt_out.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google 
>> > Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, 
>> > send an email to [email protected].
>> > For more options, visit https://groups.google.com/groups/opt_out.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, 
>> send an email to [email protected].
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, 
>> send an email to [email protected].
>> For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.

-- 

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

RE: [ossec-list] Re: RDP Alerts / msauth.xml

Reply via email to