On Mon, Sep 4, 2017 at 3:57 AM, Tirumala Raja Siriki <[email protected]> wrote: > Hi Dan, > > The False positives are as follows, > > Rule 18138: The Account Name is one of our Associate account, and alert got > triggered for this. > ---------------------------------------------------------------------------------------------------------------------------------- > ** Alert 1504511181.106613271: mail - windows,win_authentication_failed, > 2017 Sep 04 07:46:21 (------RDP INFO -------------)->WinEvtLog > Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.' > User: (no user) > 2017 Sep 04 07:46:26 WinEvtLog: Security: AUDIT_FAILURE(4625): > Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-C49P2039Q3K: > An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: > - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which > Logon Failed: Security ID: S-1-0-0 Account Name: Pinaj Account Domain: > Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub > Status: 0xc000006a Process Information: Caller Process ID: 0x0 Caller > Process Name: - Network Information: Workstation Name: Rdesktop Source > Network Address: - Source Port: - Detailed Authentication Information: > Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: > - Package Name (NTLM only): - Key Length: 0 This event is generated when > a logon request fails. It is generated on the computer where access was > attempted. > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > And if we look into same alert for the Account Name is Sklad which is not > our user and it is a genuine alert; attack from outside > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > ** Alert 1504511181.106614388: mail - windows,win_authentication_failed, > 2017 Sep 04 07:46:21 (-------RDP INFO------>WinEvtLog > Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.' > User: (no user) > 2017 Sep 04 07:46:27 WinEvtLog: Security: AUDIT_FAILURE(4625): > Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-C49P2039Q3K: > An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: > - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which > Logon Failed: Security ID: S-1-0-0 Account Name: Sklad Account Domain: > Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub > Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller > Process Name: - Network Information: Workstation Name: Source Network > Address: - Source Port: - Detailed Authentication Information: Logon > Process: NtLmSsp Authentication Package: NTLM Transited Services: - > Package Name (NTLM only): - Key Length: 0 This event is generated when a > logon request fails. It is generated on the computer where access was > attempted. > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > > Similarly we get alerts for rule 18152 and the Account Name: varies from > ADMINISTRATOR to TEST1 so on.. in this case we want only the genuine alerts > and want to reduce noise by not alerting for our users. Is there any other > way or we need to modify any rules? > And even our users have not Failed Authenticating to RDPs we do get alerts > like Account locked, Authentication failure so on. >
I'd love an example of a failed login/account locked alert for a successful login. If you want to ignore some users, you might be able to create a cdb with the usernames, and compare the user in the alert to that cdb. If there is a match, set the alert level to 0. It might be error prone due to capitalization, but I'm not positive. > Can you help us on this. > On Monday, August 28, 2017 at 11:24:22 PM UTC+5:30, dan (ddpbsd) wrote: >> >> On Mon, Aug 28, 2017 at 2:25 AM, Tirumala Raja Siriki >> <[email protected]> wrote: >> > Email levels are at enough priority, I am getting emails now after >> > stopping >> > alerting from RDP. I have multiple RDP where agent is installed and I >> > get >> > lot of false alerts from RDPs, for Authentication failure and Account >> > locked >> > out. >> > >> >> If you're seeing false positives, it would be great if you reported >> them. We could fix them (or they have been fixed in recent versions of >> OSSEC). >> >> > On Thursday, August 24, 2017 at 6:07:05 PM UTC+5:30, dan (ddpbsd) wrote: >> >> >> >> >> >> >> >> On Aug 24, 2017 8:31 AM, "Tirumala Raja Siriki" <[email protected]> >> >> wrote: >> >> >> >> Hi Everyone, >> >> >> >> I am running Ossec 2.8.3 version on Server as well as agents. I am not >> >> getting any email alerts from Ossec Server(Suse Linux) for one of the >> >> agent >> >> which is also running on Suse Linux. >> >> I see alerts are getting logged in /var/ossec/logs/alerts/alerts.log >> >> file >> >> but no emails triggered. Other agents are working fine. >> >> I noticed Ossec Server has rsyslog running while Agent has syslog-ng. >> >> Is >> >> there any changes needs to be done for logging. >> >> >> >> Any help is appreciated. >> >> >> >> >> >> Are the alerts that this agent triggers high enough level to be semt >> >> via >> >> email? Are the alerts grouped with other alerts in a single email? >> >> >> >> >> >> >> >> Many Thanks >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
