On Thu, Aug 28, 2014 at 1:48 PM, dan (ddp) <[email protected]> wrote:
> On Thu, Aug 28, 2014 at 1:05 PM, velvin <[email protected]> wrote:
>> OSSEC newbie here. I am trying to have our OSSEC server fire alerts for
>> common authentication failures and other notable windows event logs, pretty
>> much out of the box configuration with tweaks to come.
>>
>> I'm testing authentication failure from one of the target machines (Win7) by
>> locking and intentionally entering wrong password. What I see is rule 1002
>> (syslog) firing with an alert since it matches one of the default "bad_word"
>> list out of the box but I do not see the msauth rule firing additional
>> alerts.
>>
>> What I've done to test is change rule 1002 to look for a bogus word instead
>> so it doesn't hit anymore and now I see no rules firing or matching.
>>
>> Next step was to test it out using the ossec-logtest. Feeding below text
>> (copied from the previous alert of rule id 1002) to the test engine shows
>> success in firing msauth rule.
>>
>> ========================
>> WinEvtLog: Security: AUDIT_FAILURE(4625):
>> Microsoft-Windows-Security-Auditing: (no user): no domain: computername: An
>> account failed to log on. Subject: Security ID: S-1-5-18 Account Name:
>> computername$ Account Domain: Ourdomain Logon ID: 0x3e7 Logon Type: 7
>> Account For Which Logon Failed: Security ID: S-1-0-0 Account Name:
>> MyAccountName Account Domain: OurDomain Failure Information: Failure
>> Reason: %%2313 Status: 0xc000006d Sub Status: 0xc000006a Process
>> Information: Caller Process ID: 0x2a0 Caller Process Name:
>> C:\Windows\System32\winlogon.exe Network Information: Workstation Name:
>> ComputerName Source Network Address: 127.0.0.1 Source Port: 0 Detailed
>> Authentication Information: Logon Process: User32 Authentication
>> Package: Negotiate Transited Services: - Package Name (NTLM only): - Key
>> Length: 0 This event is generated when a logon request fails. It is
>> generated on the computer where access was attempted.
>> ========================
>>
>> -ommited phase 1 success-
>>
>> **Phase 2: Completed decoding.
>> decoder: 'windows'
>> status: 'AUDIT_FAILURE'
>> id: '4625'
>> extra_data: 'Microsoft-Windows-Security-Auditing'
>> dstuser: '(no user)'
>> system_name: 'BSS01745b.coh.org'
>>
>> **Phase 3: Completed filtering (rules).
>> Rule id: '18106'
>> Level: '5'
>> Description: 'Windows Logon Failure.'
>> **Alert to be generated.
>> ========================
>>
>> However, the actual alert doesn't get generated in real test. When I change
>> Rule ID 1002 back to default (looking for $BAD_WORD) the alert will fire
>> again with rule ID 1002 but only with 1002. Any idea why this isn't working?
>> How can I troubleshoot further? Thanks.
>>
>
>
> Running that log message through ossec-logtest I get:
> [root@localhost ossec-server]# cat /tmp/iii | bin/ossec-logtest
> 2014/08/28 13:42:44 ossec-testrule: INFO: Reading local decoder file.
> 2014/08/28 13:42:44 ossec-testrule: INFO: Started (pid: 6836).
> ossec-testrule: Type one log per line.
>
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'WinEvtLog: Security: AUDIT_FAILURE(4625):
> Microsoft-Windows-Security-Auditing: (no user): no domain:
> computername: An account failed to log on. Subject: Security ID:
> S-1-5-18 Account Name: computername$ Account Domain: Ourdomain
> Logon ID: 0x3e7 Logon Type: 7 Account For Which Logon Failed:
> Security ID: S-1-0-0 Account Name: MyAccountName Account Domain:
> OurDomain Failure Information: Failure Reason: %%2313 Status:
> 0xc000006d Sub Status: 0xc000006a Process Information: Caller
> Process ID: 0x2a0 Caller Process Name:
> C:\Windows\System32\winlogon.exe Network Information: Workstation
> Name: ComputerName Source Network Address: 127.0.0.1 Source Port: 0
> Detailed Authentication Information: Logon Process: User32
> Authentication Package: Negotiate Transited Services: - Package Name
> (NTLM only): - Key Length: 0 This event is generated when a logon
> request fails. It is generated on the computer where access was
> attempted.'
> hostname: 'localhost'
> program_name: '(null)'
> log: 'WinEvtLog: Security: AUDIT_FAILURE(4625):
> Microsoft-Windows-Security-Auditing: (no user): no domain:
> computername: An account failed to log on. Subject: Security ID:
> S-1-5-18 Account Name: computername$ Account Domain: Ourdomain
> Logon ID: 0x3e7 Logon Type: 7 Account For Which Logon Failed:
> Security ID: S-1-0-0 Account Name: MyAccountName Account Domain:
> OurDomain Failure Information: Failure Reason: %%2313 Status:
> 0xc000006d Sub Status: 0xc000006a Process Information: Caller
> Process ID: 0x2a0 Caller Process Name:
> C:\Windows\System32\winlogon.exe Network Information: Workstation
> Name: ComputerName Source Network Address: 127.0.0.1 Source Port: 0
> Detailed Authentication Information: Logon Process: User32
> Authentication Package: Negotiate Transited Services: - Package Name
> (NTLM only): - Key Length: 0 This event is generated when a logon
> request fails. It is generated on the computer where access was
> attempted.'
>
> **Phase 2: Completed decoding.
> decoder: 'windows'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '18100'
> Level: '0'
> Description: 'Group of windows rules.'
>
>
> So this makes me wonder what's different between our setups. Which
> version of OSSEC are you using?
>
Never mind, figured out why my results were way different. Here's what
I get now:
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Security: AUDIT_FAILURE(4625):
Microsoft-Windows-Security-Auditing: (no user): no domain:
computername: An account failed to log on. Subject: Security ID:
S-1-5-18 Account Name: computername$ Account Domain: Ourdomain
Logon ID: 0x3e7 Logon Type: 7 Account For Which Logon Failed:
Security ID: S-1-0-0 Account Name: MyAccountName Account Domain:
OurDomain Failure Information: Failure Reason: %%2313 Status:
0xc000006d Sub Status: 0xc000006a Process Information: Caller
Process ID: 0x2a0 Caller Process Name:
C:\Windows\System32\winlogon.exe Network Information: Workstation
Name: ComputerName Source Network Address: 127.0.0.1 Source Port: 0
Detailed Authentication Information: Logon Process: User32
Authentication Package: Negotiate Transited Services: - Package Name
(NTLM only): - Key Length: 0 This event is generated when a logon
request fails. It is generated on the computer where access was
attempted.'
hostname: 'localhost'
program_name: '(null)'
log: 'WinEvtLog: Security: AUDIT_FAILURE(4625):
Microsoft-Windows-Security-Auditing: (no user): no domain:
computername: An account failed to log on. Subject: Security ID:
S-1-5-18 Account Name: computername$ Account Domain: Ourdomain
Logon ID: 0x3e7 Logon Type: 7 Account For Which Logon Failed:
Security ID: S-1-0-0 Account Name: MyAccountName Account Domain:
OurDomain Failure Information: Failure Reason: %%2313 Status:
0xc000006d Sub Status: 0xc000006a Process Information: Caller
Process ID: 0x2a0 Caller Process Name:
C:\Windows\System32\winlogon.exe Network Information: Workstation
Name: ComputerName Source Network Address: 127.0.0.1 Source Port: 0
Detailed Authentication Information: Logon Process: User32
Authentication Package: Negotiate Transited Services: - Package Name
(NTLM only): - Key Length: 0 This event is generated when a logon
request fails. It is generated on the computer where access was
attempted.'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '4625'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'computername'
**Phase 3: Completed filtering (rules).
Rule id: '18138'
Level: '7'
Description: 'Logon Failure - Account locked out.'
**Alert to be generated.
Do you have rule id 18138?
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
