On Mon, Jul 3, 2017 at 2:28 AM, Ian Brown <[email protected]> wrote:
> I've got this event log in windows:
>
> 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The
> Windows Filtering Platform blocked a packet. Application Information:
> Process ID: 0 Application Name: - Network Information: Direction: %%14592
> Source Address: 192.168.1.120 Source Port: 39740 Destination Address:
> 192.168.1.255 Destination Port: 32414 Protocol: 17 Filter Information:
> Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13
>
> I'd like to ignore entries that contain the broadcast address 192.168.1.255.
>
> If I fire up "ossec-logtest -v" and feed that log line into the app, I see
> that it matches against the sid 18105:
>
>> Trying rule: 18105 - Windows audit failure event.
>> *Rule 18105 matched.
>> *Trying child rules.
>> Trying rule: 18120 - Windows login attempt (ignored). Duplicated.
>> Trying rule: 18153 - Multiple Windows audit failure events.
>> Trying rule: 18106 - Windows Logon Failure.
>> Trying rule: 18139 - Windows DC Logon Failure.
>> Trying rule: 18180 - MS SQL Server Logon Failure.
>> Trying rule: 18108 - Failed attempt to perform a privileged operation.
>> **Phase 3: Completed filtering (rules).
>> Rule id: '18105'
>> Level: '4'
>> Description: 'Windows audit failure event.'
>> **Alert to be generated.
>
>
> So I've added this rule to my local_rules.xml file:
>
>> <rule id="100004" level="0">
>> <if_sid>18105</if_sid>
>> <match>192.168.1.255</match>
>> <description> Ignore firewall dropped packets for broadcast
>> address</description>
>> </rule>
>
>
> However, after restarting the ossec-hids-server and re-run "ossec-logtest
> -v", I see that it tries my rule but somehow doesn't match -- what have I
> done wrong?
>
>> Trying rule: 18105 - Windows audit failure event.
>> *Rule 18105 matched.
>> *Trying child rules.
>> Trying rule: 18120 - Windows login attempt (ignored). Duplicated.
>> Trying rule: 100004 - Ignore firewall dropped packets for broadcast
>> address
>> Trying rule: 18153 - Multiple Windows audit failure events.
>> Trying rule: 18106 - Windows Logon Failure.
>> Trying rule: 18139 - Windows DC Logon Failure.
>> Trying rule: 18180 - MS SQL Server Logon Failure.
>> Trying rule: 18108 - Failed attempt to perform a privileged operation.
>> **Phase 3: Completed filtering (rules).
>> Rule id: '18105'
>> Level: '4'
>> Description: 'Windows audit failure event.'
>> **Alert to be generated.
>
You stripped a lot of interesting bits from the ossec-logtest.
This works for me:
<rule id="410001" level="0">
<if_sid>18105</if_sid>
<match>192.168.1.255</match>
<description>Ignore broadcast</description>
</rule>
2017/07/05 21:40:26 ossec-testrule: INFO: Reading the lists file:
'rules/lists/ossec.block'
2017/07/05 21:40:26 ossec-testrule: INFO: Started (pid: 76232).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: '2017 Jul 02 22:38:47 WinEvtLog: Security:
AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user):
no domain: leaf-1: The Windows Filtering Platform blocked a packet.
Application Information: Process ID: 0 Application Name: - Network
Information: Direction: %%14592 Source Address: 192.168.1.120 Source
Port: 39740 Destination Address: 192.168.1.255 Destination Port: 32414
Protocol: 17 Filter Information: Filter Run-Time ID: 93069 Layer Name:
%%14597 Layer Run-Time ID: 13'
hostname: 'ix'
program_name: 'WinEvtLog'
log: 'Security: AUDIT_FAILURE(5152):
Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The
Windows Filtering Platform blocked a packet. Application Information:
Process ID: 0 Application Name: - Network Information: Direction:
%%14592 Source Address: 192.168.1.120 Source Port: 39740 Destination
Address: 192.168.1.255 Destination Port: 32414 Protocol: 17 Filter
Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer
Run-Time ID: 13'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '5152'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'leaf-1'
srcip: '192.168.1.120'
**Phase 3: Completed filtering (rules).
Rule id: '410001'
Level: '0'
Description: 'Ignore broadcast'
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
