Hi Dan, The False positives are as follows,
Rule 18138: The Account Name is one of our Associate account, and alert got triggered for this. ---------------------------------------------------------------------------------------------------------------------------------- ** Alert 1504511181.106613271: mail - windows,win_authentication_failed, 2017 Sep 04 07:46:21 (------RDP INFO -------------)->WinEvtLog Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.' User: (no user) 2017 Sep 04 07:46:26 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-C49P2039Q3K: An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 *Account Name: Pinaj* Account Domain: Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: Rdesktop Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- And if we look into same alert for the Account Name is Sklad which is not our user and it is a genuine alert; attack from outside ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ** Alert 1504511181.106614388: mail - windows,win_authentication_failed, 2017 Sep 04 07:46:21 (-------RDP INFO------>WinEvtLog Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.' User: (no user) 2017 Sep 04 07:46:27 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-C49P2039Q3K: An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 *Account Name: Sklad* Account Domain: Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Similarly we get alerts for rule 18152 and the Account Name: varies from ADMINISTRATOR to TEST1 so on.. in this case we want only the genuine alerts and want to reduce noise by not alerting for our users. Is there any other way or we need to modify any rules? And even our users have not Failed Authenticating to RDPs we do get alerts like Account locked, Authentication failure so on. Can you help us on this. On Monday, August 28, 2017 at 11:24:22 PM UTC+5:30, dan (ddpbsd) wrote: > > On Mon, Aug 28, 2017 at 2:25 AM, Tirumala Raja Siriki > <[email protected] <javascript:>> wrote: > > Email levels are at enough priority, I am getting emails now after > stopping > > alerting from RDP. I have multiple RDP where agent is installed and I > get > > lot of false alerts from RDPs, for Authentication failure and Account > locked > > out. > > > > If you're seeing false positives, it would be great if you reported > them. We could fix them (or they have been fixed in recent versions of > OSSEC). > > > On Thursday, August 24, 2017 at 6:07:05 PM UTC+5:30, dan (ddpbsd) wrote: > >> > >> > >> > >> On Aug 24, 2017 8:31 AM, "Tirumala Raja Siriki" <[email protected]> > > >> wrote: > >> > >> Hi Everyone, > >> > >> I am running Ossec 2.8.3 version on Server as well as agents. I am not > >> getting any email alerts from Ossec Server(Suse Linux) for one of the > agent > >> which is also running on Suse Linux. > >> I see alerts are getting logged in /var/ossec/logs/alerts/alerts.log > file > >> but no emails triggered. Other agents are working fine. > >> I noticed Ossec Server has rsyslog running while Agent has syslog-ng. > Is > >> there any changes needs to be done for logging. > >> > >> Any help is appreciated. > >> > >> > >> Are the alerts that this agent triggers high enough level to be semt > via > >> email? Are the alerts grouped with other alerts in a single email? > >> > >> > >> > >> Many Thanks > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected]. > >> For more options, visit https://groups.google.com/d/optout. > >> > >> > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
