On Thu, Aug 28, 2014 at 1:05 PM, velvin <[email protected]> wrote:
> OSSEC newbie here. I am trying to have our OSSEC server fire alerts for
> common authentication failures and other notable windows event logs, pretty
> much out of the box configuration with tweaks to come.
>
> I'm testing authentication failure from one of the target machines (Win7) by
> locking and intentionally entering wrong password. What I see is rule 1002
> (syslog) firing with an alert since it matches one of the default "bad_word"
> list out of the box but I do not see the msauth rule firing additional
> alerts.
>
> What I've done to test is change rule 1002 to look for a bogus word instead
> so it doesn't hit anymore and now I see no rules firing or matching.
>
> Next step was to test it out using the ossec-logtest. Feeding below text
> (copied from the previous alert of rule id 1002) to the test engine shows
> success in firing msauth rule.
>
> ========================
> WinEvtLog: Security: AUDIT_FAILURE(4625):
> Microsoft-Windows-Security-Auditing: (no user): no domain: computername: An
> account failed to log on. Subject: Security ID: S-1-5-18 Account Name:
> computername$ Account Domain: Ourdomain Logon ID: 0x3e7 Logon Type: 7
> Account For Which Logon Failed: Security ID: S-1-0-0 Account Name:
> MyAccountName Account Domain: OurDomain Failure Information: Failure
> Reason: %%2313 Status: 0xc000006d Sub Status: 0xc000006a Process
> Information: Caller Process ID: 0x2a0 Caller Process Name:
> C:\Windows\System32\winlogon.exe Network Information: Workstation Name:
> ComputerName Source Network Address: 127.0.0.1 Source Port: 0 Detailed
> Authentication Information: Logon Process: User32 Authentication
> Package: Negotiate Transited Services: - Package Name (NTLM only): - Key
> Length: 0 This event is generated when a logon request fails. It is
> generated on the computer where access was attempted.
> ========================
>
> -ommited phase 1 success-
>
> **Phase 2: Completed decoding.
> decoder: 'windows'
> status: 'AUDIT_FAILURE'
> id: '4625'
> extra_data: 'Microsoft-Windows-Security-Auditing'
> dstuser: '(no user)'
> system_name: 'BSS01745b.coh.org'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '18106'
> Level: '5'
> Description: 'Windows Logon Failure.'
> **Alert to be generated.
> ========================
>
> However, the actual alert doesn't get generated in real test. When I change
> Rule ID 1002 back to default (looking for $BAD_WORD) the alert will fire
> again with rule ID 1002 but only with 1002. Any idea why this isn't working?
> How can I troubleshoot further? Thanks.
>
Running that log message through ossec-logtest I get:
[root@localhost ossec-server]# cat /tmp/iii | bin/ossec-logtest
2014/08/28 13:42:44 ossec-testrule: INFO: Reading local decoder file.
2014/08/28 13:42:44 ossec-testrule: INFO: Started (pid: 6836).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Security: AUDIT_FAILURE(4625):
Microsoft-Windows-Security-Auditing: (no user): no domain:
computername: An account failed to log on. Subject: Security ID:
S-1-5-18 Account Name: computername$ Account Domain: Ourdomain
Logon ID: 0x3e7 Logon Type: 7 Account For Which Logon Failed:
Security ID: S-1-0-0 Account Name: MyAccountName Account Domain:
OurDomain Failure Information: Failure Reason: %%2313 Status:
0xc000006d Sub Status: 0xc000006a Process Information: Caller
Process ID: 0x2a0 Caller Process Name:
C:\Windows\System32\winlogon.exe Network Information: Workstation
Name: ComputerName Source Network Address: 127.0.0.1 Source Port: 0
Detailed Authentication Information: Logon Process: User32
Authentication Package: Negotiate Transited Services: - Package Name
(NTLM only): - Key Length: 0 This event is generated when a logon
request fails. It is generated on the computer where access was
attempted.'
hostname: 'localhost'
program_name: '(null)'
log: 'WinEvtLog: Security: AUDIT_FAILURE(4625):
Microsoft-Windows-Security-Auditing: (no user): no domain:
computername: An account failed to log on. Subject: Security ID:
S-1-5-18 Account Name: computername$ Account Domain: Ourdomain
Logon ID: 0x3e7 Logon Type: 7 Account For Which Logon Failed:
Security ID: S-1-0-0 Account Name: MyAccountName Account Domain:
OurDomain Failure Information: Failure Reason: %%2313 Status:
0xc000006d Sub Status: 0xc000006a Process Information: Caller
Process ID: 0x2a0 Caller Process Name:
C:\Windows\System32\winlogon.exe Network Information: Workstation
Name: ComputerName Source Network Address: 127.0.0.1 Source Port: 0
Detailed Authentication Information: Logon Process: User32
Authentication Package: Negotiate Transited Services: - Package Name
(NTLM only): - Key Length: 0 This event is generated when a logon
request fails. It is generated on the computer where access was
attempted.'
**Phase 2: Completed decoding.
decoder: 'windows'
**Phase 3: Completed filtering (rules).
Rule id: '18100'
Level: '0'
Description: 'Group of windows rules.'
So this makes me wonder what's different between our setups. Which
version of OSSEC are you using?
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
