In an attempt to get custom Windows decoder and rules working, I came up
with the following decoder and rule:
In local_rules.xml:
<group name="windows-account-lockout">
<rule id="100010" level="5">
<decoded_as>windows-4740</decoded_as>
<description>windows-account-lockout</description>
</rule>
</group>
In decoder.xml:
<decoder name="windows-4740">
<type>windows</type>
<parent>windows</parent>
<regex offset="after_parent">^\.+: (\w+)\((\d+)\):\.+</regex>
<regex>0x3a1\s+(\.+):\s+Security ID:\.+Account Name:\s+(\S+)</regex>
<order>status, id, extra_data, user</order>
<fts>name, location, user, system_name</fts>
</decoder>
Here is a sample Windows event log that was used for testing:
WinEvtLog: Security: AUDIT_SUCCESS(4740): XXXXXXXXXXXXXX: (no user): no
domain: XXXXXXX: XXXXXXX message: A user account was locked out.
Subject: Security ID: XXXXX Account Name: XXX Account Domain:
EXAMPLE Logon ID: 0x3a1 Account That Was Locked Out: Security ID:
XXXXXXXXXXXXXXX Account Name: jking Additional Information: XXXXX:
/opt/ossec/ossec-logtest -d
...
2013/10/21 14:55:40 1 : rule:100010, level 5, timeout: 0
...
...
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '4740'
extra_data: ' Account That Was Locked Out'
dstuser: 'jking'
**Phase 3: Completed filtering (rules).
Rule id: '18116'
Level: '9'
Description: 'User account locked out (multiple login errors).'
**Alert to be generated.
It seems to me that my decoder is working. However, why rule 18116 is still
in use? How can I bypass default msauth rules? Can someone please help?
Thanks,
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
