On Mon, Nov 21, 2016 at 8:09 AM, dan (ddp) <[email protected]> wrote: > On Fri, Nov 18, 2016 at 11:35 AM, Kevin Branch > <[email protected]> wrote: >> Rule 18257 appears to be prone to misfire. I see it tripping for things >> like this: >> >> 2016 Nov 18 10:37:26 WinEvtLog: Application: INFORMATION(302): ESENT: (no >> user): no domain: BNC-O9020: Music.UI (25428) >> {87E550B7-AD4D-40F7-BE5E-263C3D44C124}: The database engine has successfully >> completed recovery steps. >> >> >> See: >> >> https://github.com/ossec/ossec-hids/blob/master/etc/rules/msauth_rules.xml >> >> <rule id="18257" level="3"> >> <if_sid>18101</if_sid> >> <id>^200$|^300$|^302$</id> >> <description>Windows: TS Gateway login success.</description> >> <group>authentication_success,pci_dss_10.2.5,</group> >> >> <info>https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx</info> >> </rule> >> >> This would appear to fire on every single Windows informational event except >> for event IDs 200, 300, and 302. I presume some other piece of matching >> criteria is missing. >> > > It should fire on 200, 300, and 302. This event looks like the id > should be 302. So this rule should fire, right? > > Unfortunately that log message doesn't decode correctly for me, so > it'll be a pain to figure out what's going on >
OT: Found that bug and submitted a PR (https://github.com/ossec/ossec-hids/pull/992) -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
