On Wed, Mar 23, 2016 at 12:23 PM, Dustin Lenz <[email protected]> wrote: > Resurrecting this one from the dead. This rule is a problem for me. I am > seeing many false positives (FP). Here is one such example: > >>> Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root >>> 192.168.1.50 (192.168.1.50) 52209 >>> >>> Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root >>> 192.168.1.50 (192.168.1.50) 52209 >>> >>> 2016 Mar 17 09:49:15 WinEvtLog: Security: AUDIT_SUCCESS(4722): >>> Microsoft-Windows-Security-Auditing: (no user): no domain: >>> WINDOWSHOST.domain-internal.com.internal: A user account was enabled. >>> Subject: Security ID: S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX >>> Account Name: username Account Domain: DOMAIN-INTERNAL Logon ID: 0x2xxXXXX >>> Target Account: Security ID: S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX >>> Account Name: VM01XXXX-XXXXXX$ Account Domain: DOMAIN-INTERNAL > > > As you can see this is an obvious FP. > > Can someone weigh in here on how we can remediate these issues? Some days > we see 100+ FP's. >
Disable the rule? I think you could set it to only alert if the logs have the same srcip (not positive though). > Thanks in advance, > > Dustin > > On Wednesday, November 16, 2011 at 9:52:38 AM UTC-8, Franky4fngrs wrote: >> >> Hello, >> >> I have an ossec deployment with a little over 700 agents >> communicating. The issue I am having is that rules such as 40501 >> report a large number of false positives. There are a large number >> of brute force attacks across the environment at any given time. >> Whenever a legitimate user logs in the alert is triggered. I have not >> seen an obvious (to me) way to modify the rules, or groups to address >> this issue. Has anyone tackled this issue before? >> >> Thanks >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
