Two questions... At what level do you get emails from the alerts? I noticed you didn't change the level of the 18180 from a '5'.
Do you have a sanitized version of the 'new' alert from the alert log (as opposed to the ossec-logtest output)? That will show the groups on the alert. I ask because the ossec-logtest output seems to show a different description of 18180 than what should be there from the configured (and displayed) rules you pasted. Maarten On Tuesday, November 21, 2017 at 10:42:23 AM UTC-5, Bruce Westbrook wrote: > > Unfortunately that didn't work Maarten. After following that logic I am > still getting all the email alerts for that account again. And yes, I > restarted the OSSEC daemons after adding the rules :-) > > However, when I run the log entry against ossec-logtest, it appears to do > what I want by matching my overwritten #18180 rule -- yet in reality it > still sends an email due to it matching the #18152 composite rule (I'm not > sure how to use ossec-logtest to test a composite rule with multiple log > entries). > > Here are the rules I added: > > > <!-- Rewrite rule #18180 to narrow down to bad SQL account and not add > the 'win_authentication_failed' group --> > <rule id="18180" level="5" overwrite="yes"> > <if_sid>18105</if_sid> > <id>^18456$</id> > <match>Login failed for user 'USERNAME'</match> > <group>pci_dss_10.2.4,pci_dss_10.2.5,</group> > <description>MS SQL Server Logon Failure for 'dpa' only</description> > </rule> > > <!-- Add new rule to take the place of rule #18180 after matching our > bad SQL account --> > <rule id="100150" level="5"> > <if_sid>18105</if_sid> > <id>^18456$</id> > <group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5, > </group> > <description>MS SQL Server Logon Failure for 'dpa' only</description> > </rule> > > > > Here's the output from ossec-logtest: > > > 2017/11/21 10:31:13 ossec-testrule: INFO: Reading local decoder file. > 2017/11/21 10:31:13 ossec-testrule: INFO: Started (pid: 27437). > ossec-testrule: Type one log per line. > > > 2017 Nov 16 12:43:56 WinEvtLog: Application: AUDIT_FAILURE(18456): > MSSQLSERVER: (no user): no domain: SERVER: Login failed for user > 'USERNAME'. Reason: Failed to open the explicitly specified database > 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn] > > **Phase 1: Completed pre-decoding. > full event: '2017 Nov 16 12:43:56 WinEvtLog: Application: > AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER: Login > failed for user 'USERNAME'. Reason: Failed to open the explicitly > specified database 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]' > hostname: 'SERVER' > program_name: '(null)' > log: '2017 Nov 16 12:43:56 WinEvtLog: Application: > AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER: Login > failed for user 'USERNAME'. Reason: Failed to open the explicitly > specified database 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]' > > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_FAILURE' > id: '18456' > extra_data: 'MSSQLSERVER' > dstuser: '(no user)' > system_name: 'SERVER' > > > **Phase 3: Completed filtering (rules). > Rule id: '18180' > Level: '5' > Description: 'TEMP NOISE REDUCTION: MS SQL Server Logon Failure > for 'USERNAME'' > **Alert to be generated. > > > > What am I still missing? Any ideas? > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
