Rule 18257 appears to be prone to misfire. I see it tripping for things
like this:
2016 Nov 18 10:37:26 WinEvtLog: Application: INFORMATION(302): ESENT: (no
user): no domain: BNC-O9020: Music.UI (25428)
{87E550B7-AD4D-40F7-BE5E-263C3D44C124}: The database engine has
successfully completed recovery steps.
See:
https://github.com/ossec/ossec-hids/blob/master/etc/rules/msauth_rules.xml
<rule id="18257" level="3">
<if_sid>18101</if_sid>
<id>^200$|^300$|^302$</id>
<description>Windows: TS Gateway login success.</description>
<group>authentication_success,pci_dss_10.2.5,</group>
<info>https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx
</info>
</rule>
This would appear to fire on every single Windows informational event
except for event IDs 200, 300, and 302. I presume some other piece of
matching criteria is missing.
Kevin
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
