On Fri, Nov 18, 2016 at 11:35 AM, Kevin Branch
<ke...@branchnetconsulting.com> wrote:
> Rule 18257 appears to be prone to misfire. I see it tripping for things
> like this:
>
> 2016 Nov 18 10:37:26 WinEvtLog: Application: INFORMATION(302): ESENT: (no
> user): no domain: BNC-O9020: Music.UI (25428)
> {87E550B7-AD4D-40F7-BE5E-263C3D44C124}: The database engine has successfully
> completed recovery steps.
>
>
> See:
>
> https://github.com/ossec/ossec-hids/blob/master/etc/rules/msauth_rules.xml
>
> <rule id="18257" level="3">
> <if_sid>18101</if_sid>
> <id>^200$|^300$|^302$</id>
> <description>Windows: TS Gateway login success.</description>
> <group>authentication_success,pci_dss_10.2.5,</group>
>
> <info>https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx</info>
> </rule>
>
> This would appear to fire on every single Windows informational event except
> for event IDs 200, 300, and 302. I presume some other piece of matching
> criteria is missing.
>
It should fire on 200, 300, and 302. This event looks like the id
should be 302. So this rule should fire, right?
Unfortunately that log message doesn't decode correctly for me, so
it'll be a pain to figure out what's going on
# /var/ossec/bin/ossec-logtest -q
2016/11/21 08:05:48 ossec-testrule: INFO: Reading the lists file:
'rules/lists/ossec.block'
2016 Nov 18 10:37:26 WinEvtLog: Application: INFORMATION(302): ESENT:
(no user): no domain: BNC-O9020: Music.UI (25428)
{87E550B7-AD4D-40F7-BE5E-263C3D44C124}: The database engine has
successfully completed recovery steps.2016/11/21 08:05:49
ossec-testrule: INFO: Started (pid: 87163).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2016 Nov 18 10:37:26 WinEvtLog: Application:
INFORMATION(302): ESENT: (no user): no domain: BNC-O9020: Music.UI
(25428) {87E550B7-AD4D-40F7-BE5E-263C3D44C124}: The database engine
has successfully completed recovery steps.'
hostname: 'ix'
program_name: 'WinEvtLog'
log: 'Application: INFORMATION(302): ESENT: (no user): no
domain: BNC-O9020: Music.UI (25428)
{87E550B7-AD4D-40F7-BE5E-263C3D44C124}: The database engine has
successfully completed recovery steps.'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'INFORMATION'
id: 'ESENT'
extra_data: '(no user)'
dstuser: 'BNC-O9020'
**Phase 3: Completed filtering (rules).
Rule id: '18101'
Level: '0'
Description: 'Windows informational event.'
> Kevin
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
