On Oct 21, 2013 9:13 PM, "tww0101" <[email protected]> wrote: > > In an attempt to get custom Windows decoder and rules working, I came up with the following decoder and rule: > > In local_rules.xml: > > <group name="windows-account-lockout"> > <rule id="100010" level="5"> > <decoded_as>windows-4740</decoded_as>
That should be decoded as windows, not windows-4740. Look at the ossec-logtest output. > <description>windows-account-lockout</description> > </rule> > </group> > > In decoder.xml: > > <decoder name="windows-4740"> > <type>windows</type> > <parent>windows</parent> > <regex offset="after_parent">^\.+: (\w+)\((\d+)\):\.+</regex> > <regex>0x3a1\s+(\.+):\s+Security ID:\.+Account Name:\s+(\S+)</regex> > <order>status, id, extra_data, user</order> > <fts>name, location, user, system_name</fts> > </decoder> > > Here is a sample Windows event log that was used for testing: > > WinEvtLog: Security: AUDIT_SUCCESS(4740): XXXXXXXXXXXXXX: (no user): no domain: XXXXXXX: XXXXXXX message: A user account was locked out. Subject: Security ID: XXXXX Account Name: XXX Account Domain: EXAMPLE Logon ID: 0x3a1 Account That Was Locked Out: Security ID: XXXXXXXXXXXXXXX Account Name: jking Additional Information: XXXXX: > > /opt/ossec/ossec-logtest -d > > ... > 2013/10/21 14:55:40 1 : rule:100010, level 5, timeout: 0 > ... > ... > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_SUCCESS' > id: '4740' > extra_data: ' Account That Was Locked Out' > dstuser: 'jking' > > **Phase 3: Completed filtering (rules). > Rule id: '18116' > Level: '9' > Description: 'User account locked out (multiple login errors).' > **Alert to be generated. > > > It seems to me that my decoder is working. However, why rule 18116 is still in use? How can I bypass default msauth rules? Can someone please help? Thanks, > Remove them, or use them. > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
