Regard, Hello, I'm Carlos and I am new to using OSSEC, however in my organization we recently adopt OSSEC as HIDS, and we are pleased with the results. We start the setup installing the agent in some of our servers (including our Echange Server) and now we are receiving a lots of level 7 and 10 alerts as follow:
Rule: 18138 fired (level 7) -> "Logon Failure - Account locked out." > Portion of the log(s): > 2014 Aug 31 16:08:01 WinEvtLog: Security: AUDIT_FAILURE(4625): > Microsoft-Windows-Security-Auditing: (no user): no domain: > NHGC-MX-01.nhgc.local: An account failed to log on. Subject: Security ID: > S-1-5-20 Account Name: NHGC-MX-01$ Account Domain: NHGC Logon ID: > 0x3e4 Logon Type: 8 Account For Which Logon Failed: Security ID: > S-1-0-0 *Account Name: charlie* Account Domain: Failure > Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: > 0xc0000064 Process Information: Caller Process ID: 0xfcc Caller Process > Name: C:\Program Files\Microsoft\Exchange Server\V14\Bin\EdgeTransport.exe > Network Information: Workstation Name: NHGC-MX-01 Source Network Address: > - Source Port: - Detailed Authentication Information: Logon Process: > Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Transited Services: - Package Name (NTLM only): - Key Length: 0 This > event is generated when a logon request fails. It is generated on the > computer where access was attempted. The stranger on this notice is that the value of the *Account name* changes randomly With a name that does not correspond to our users, Similarly, I find it strange a Logon type 8 because it is an attempt to access with credentials in plain text. Received From: (nhgc-mx-01) 192.168.50.7->WinEvtLog > Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures." > Portion of the log(s): > 2014 Aug 31 23:51:59 WinEvtLog: Security: AUDIT_FAILURE(4625): > Microsoft-Windows-Security-Auditing: (no user): no domain: > NHGC-MX-01.nhgc.local: An account failed to log on. Subject: Security ID: > S-1-5-20 Account Name: NHGC-MX-01$ Account Domain: NHGC Logon ID: > 0x3e4 Logon Type: 8 Account For Which Logon Failed: Security ID: > S-1-0-0 Account Name: [email protected] Account Domain: > Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub > Status: 0xc0000064 Process Information: Caller Process ID: 0xfcc Caller > Process Name: C:\Program Files\Microsoft\Exchange > Server\V14\Bin\EdgeTransport.exe Network Information: Workstation Name: > NHGC-MX-01 Source Network Address: - Source Port: - Detailed > Authentication Information: Logon Process: Advapi Authentication > Package: Negotiate Transited Services: - Package Name (NTLM only): - Key > Length: 0 This event is generated when a logon request fails. It is > generated on the computer where access was attempted. As said before, the accounts used in the logins aren't from our domain, and the number of alerts of this type is significant (around about 60). We are thinking in a virus or some kind of attack. Regards, -- Carlos J. Castillo ---------------------------------------------------------------------------------- Ingeniero de Soluciones de TI +58 426 2542313 @Dr4g0nKn1ght -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
