However, after swapping the /. back to /S my rule continued to work so I'll just assume I make some mistake somewhere and managed to somehow accidentally fix it.
Thanks for your reply. On 7/5/2017 6:42 PM, dan (ddp) wrote:
On Mon, Jul 3, 2017 at 2:28 AM, Ian Brown <[email protected]> wrote:I've got this event log in windows: 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 192.168.1.120 Source Port: 39740 Destination Address: 192.168.1.255 Destination Port: 32414 Protocol: 17 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13 I'd like to ignore entries that contain the broadcast address 192.168.1.255. If I fire up "ossec-logtest -v" and feed that log line into the app, I see that it matches against the sid 18105:Trying rule: 18105 - Windows audit failure event. *Rule 18105 matched. *Trying child rules. Trying rule: 18120 - Windows login attempt (ignored). Duplicated. Trying rule: 18153 - Multiple Windows audit failure events. Trying rule: 18106 - Windows Logon Failure. Trying rule: 18139 - Windows DC Logon Failure. Trying rule: 18180 - MS SQL Server Logon Failure. Trying rule: 18108 - Failed attempt to perform a privileged operation. **Phase 3: Completed filtering (rules). Rule id: '18105' Level: '4' Description: 'Windows audit failure event.' **Alert to be generated.So I've added this rule to my local_rules.xml file:<rule id="100004" level="0"> <if_sid>18105</if_sid> <match>192.168.1.255</match> <description> Ignore firewall dropped packets for broadcast address</description> </rule>However, after restarting the ossec-hids-server and re-run "ossec-logtest -v", I see that it tries my rule but somehow doesn't match -- what have I done wrong?Trying rule: 18105 - Windows audit failure event. *Rule 18105 matched. *Trying child rules. Trying rule: 18120 - Windows login attempt (ignored). Duplicated. Trying rule: 100004 - Ignore firewall dropped packets for broadcast address Trying rule: 18153 - Multiple Windows audit failure events. Trying rule: 18106 - Windows Logon Failure. Trying rule: 18139 - Windows DC Logon Failure. Trying rule: 18180 - MS SQL Server Logon Failure. Trying rule: 18108 - Failed attempt to perform a privileged operation. **Phase 3: Completed filtering (rules). Rule id: '18105' Level: '4' Description: 'Windows audit failure event.' **Alert to be generated.You stripped a lot of interesting bits from the ossec-logtest. This works for me: <rule id="410001" level="0"> <if_sid>18105</if_sid> <match>192.168.1.255</match> <description>Ignore broadcast</description> </rule> 2017/07/05 21:40:26 ossec-testrule: INFO: Reading the lists file: 'rules/lists/ossec.block' 2017/07/05 21:40:26 ossec-testrule: INFO: Started (pid: 76232). ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: '2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 192.168.1.120 Source Port: 39740 Destination Address: 192.168.1.255 Destination Port: 32414 Protocol: 17 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' hostname: 'ix' program_name: 'WinEvtLog' log: 'Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 192.168.1.120 Source Port: 39740 Destination Address: 192.168.1.255 Destination Port: 32414 Protocol: 17 Filter Information: Filter Run-Time ID: 93069 Layer Name: %%14597 Layer Run-Time ID: 13' **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_FAILURE' id: '5152' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: 'leaf-1' srcip: '192.168.1.120' **Phase 3: Completed filtering (rules). Rule id: '410001' Level: '0' Description: 'Ignore broadcast'-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
----- You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
