OSSEC newbie here. I am trying to have our OSSEC server fire alerts for
common authentication failures and other notable windows event logs, pretty
much out of the box configuration with tweaks to come.
I'm testing authentication failure from one of the target machines (Win7)
by locking and intentionally entering wrong password. What I see is rule
1002 (syslog) firing with an alert since it matches one of the default
"bad_word" list out of the box but I do not see the msauth rule firing
additional alerts.
What I've done to test is change rule 1002 to look for a bogus word instead
so it doesn't hit anymore and now I see no rules firing or matching.
Next step was to test it out using the ossec-logtest. Feeding below text
(copied from the previous alert of rule id 1002) to the test engine shows
success in firing msauth rule.
========================
WinEvtLog: Security: AUDIT_FAILURE(4625):
Microsoft-Windows-Security-Auditing: (no user): no domain: *computername*:
An account failed to log on. Subject: Security ID: S-1-5-18 Account
Name: *computername*$ Account Domain: *Ourdomain* Logon ID: 0x3e7
Logon Type: 7 Account For Which Logon Failed: Security ID: S-1-0-0
Account Name: *MyAccountName* Account Domain: *OurDomain* Failure
Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status:
0xc000006a Process Information: Caller Process ID: 0x2a0 Caller Process
Name: C:\Windows\System32\winlogon.exe Network Information: Workstation
Name: *ComputerName* Source Network Address: 127.0.0.1 Source Port: 0
Detailed Authentication Information: Logon Process: User32
Authentication Package: Negotiate Transited Services: - Package Name
(NTLM only): - Key Length: 0 This event is generated when a logon
request fails. It is generated on the computer where access was attempted.
========================
-ommited phase 1 success-
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '4625'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'BSS01745b.coh.org'
**Phase 3: Completed filtering (rules).
Rule id: '18106'
Level: '5'
Description: 'Windows Logon Failure.'
**Alert to be generated.
========================
However, the actual alert doesn't get generated in real test. When I change
Rule ID 1002 back to default (looking for $BAD_WORD) the alert will fire
again with rule ID 1002 but only with 1002. Any idea why this isn't
working? How can I troubleshoot further? Thanks.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
