[ossec-list] I'm unclear why my rule is not matching...

Mon, 03 Jul 2017 05:29:54 -0700 

I've got this event log in windows:

2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): 
Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The 
Windows Filtering Platform blocked a packet. Application Information: 
Process ID: 0 Application Name: - Network Information: Direction: %%14592 
Source Address: 192.168.1.120 Source Port: 39740 Destination Address: 
192.168.1.255 Destination Port: 32414 Protocol: 17 Filter Information: 
Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13

I'd like to ignore entries that contain the broadcast address 192.168.1.255.

If I fire up "ossec-logtest -v" and feed that log line into the app, I see 
that it matches against the sid 18105:

    Trying rule: 18105 - Windows audit failure event.
>        *Rule 18105 matched.
>        *Trying child rules.
>     Trying rule: 18120 - Windows login attempt (ignored). Duplicated.
>     Trying rule: 18153 - Multiple Windows audit failure events.
>     Trying rule: 18106 - Windows Logon Failure.
>     Trying rule: 18139 - Windows DC Logon Failure.
>     Trying rule: 18180 - MS SQL Server Logon Failure.
>     Trying rule: 18108 - Failed attempt to perform a privileged operation.
> **Phase 3: Completed filtering (rules).
>        Rule id: '18105'
>        Level: '4'
>        Description: 'Windows audit failure event.'
> **Alert to be generated.


So I've added this rule to my local_rules.xml file:

  <rule id="100004" level="0">
>     <if_sid>18105</if_sid>
>     <match>192.168.1.255</match>
>     <description> Ignore firewall dropped packets for broadcast 
> address</description>
>   </rule>


However, after restarting the ossec-hids-server and re-run "ossec-logtest 
-v", I see that it tries my rule but somehow doesn't match -- what have I 
done wrong?

    Trying rule: 18105 - Windows audit failure event.
>        *Rule 18105 matched.
>        *Trying child rules.
>     Trying rule: 18120 - Windows login attempt (ignored). Duplicated.
>     Trying rule: 100004 -  Ignore firewall dropped packets for broadcast 
> address
>     Trying rule: 18153 - Multiple Windows audit failure events.
>     Trying rule: 18106 - Windows Logon Failure.
>     Trying rule: 18139 - Windows DC Logon Failure.
>     Trying rule: 18180 - MS SQL Server Logon Failure.
>     Trying rule: 18108 - Failed attempt to perform a privileged operation.
> **Phase 3: Completed filtering (rules).
>        Rule id: '18105'
>        Level: '4'
>        Description: 'Windows audit failure event.'
> **Alert to be generated.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to