Hi all, nice catch Dan!. Unfortunately, the rule 18257 is still triggering. The log is related with a "Database update" and the rule 18257 is for logins. So, I think we should add a rule to ignore <https://groups.google.com/forum/#!topic/wazuh/243hyX4axYA> this kind of logs.
Regards. On Monday, November 21, 2016 at 2:20:11 PM UTC+1, dan (ddpbsd) wrote: > > On Mon, Nov 21, 2016 at 8:09 AM, dan (ddp) <[email protected] <javascript:>> > wrote: > > On Fri, Nov 18, 2016 at 11:35 AM, Kevin Branch > > <[email protected] <javascript:>> wrote: > >> Rule 18257 appears to be prone to misfire. I see it tripping for > things > >> like this: > >> > >> 2016 Nov 18 10:37:26 WinEvtLog: Application: INFORMATION(302): ESENT: > (no > >> user): no domain: BNC-O9020: Music.UI (25428) > >> {87E550B7-AD4D-40F7-BE5E-263C3D44C124}: The database engine has > successfully > >> completed recovery steps. > >> > >> > >> See: > >> > >> > https://github.com/ossec/ossec-hids/blob/master/etc/rules/msauth_rules.xml > >> > >> <rule id="18257" level="3"> > >> <if_sid>18101</if_sid> > >> <id>^200$|^300$|^302$</id> > >> <description>Windows: TS Gateway login success.</description> > >> <group>authentication_success,pci_dss_10.2.5,</group> > >> > >> <info> > https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx</info> > >> </rule> > >> > >> This would appear to fire on every single Windows informational event > except > >> for event IDs 200, 300, and 302. I presume some other piece of > matching > >> criteria is missing. > >> > > > > It should fire on 200, 300, and 302. This event looks like the id > > should be 302. So this rule should fire, right? > > > > Unfortunately that log message doesn't decode correctly for me, so > > it'll be a pain to figure out what's going on > > > > OT: Found that bug and submitted a PR > (https://github.com/ossec/ossec-hids/pull/992) > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
