Hello Joe, As Shenath mentioned , you may need to include it if you are using ossec.
Otherwise if you are using wazuh, let me know what version is your wazuh Manager?, you can check out the wazuh ruleset <https://github.com/wazuh/wazuh-ruleset>. Regards, On Wednesday, January 9, 2019 at 12:03:23 PM UTC+1, Shenath Silva wrote: > > Hello, you need to add the ms_firewall_rules.xml to the included rule list > in ossec.conf file. > > On Tuesday, January 8, 2019 at 5:20:28 PM UTC+5:30, Joe Shey wrote: >> >> Hello, >> >> I enabled logall option and got few logs related to >> ms_firewall_rules.xml. Below is a sample: >> 2019 Jan 08 18:31:55 WinEvtLog: Security: AUDIT_SUCCESS(4956): >> Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-CHUBILMO5N2: >> Windows Firewall has changed the active profile. New Active Profile: Private >> >> When I run this in the ossec-logtest I get the following result: >> >> **Phase 1: Completed pre-decoding. >> full event: '2019 Jan 08 18:31:55 WinEvtLog: Security: >> AUDIT_SUCCESS(4956): Microsoft-Windows-Security-Auditing: (no user): no >> domain: WIN-CHUBILMO5N2: Windows Firewall has changed the active profile. >> New Active Profile: Private' >> hostname: 'ubuntu' >> program_name: 'WinEvtLog' >> log: 'Security: AUDIT_SUCCESS(4956): >> Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-CHUBILMO5N2: >> Windows Firewall has changed the active profile. New Active Profile: >> Private' >> >> **Phase 2: Completed decoding. >> decoder: 'windows' >> status: 'AUDIT_SUCCESS' >> id: '4956' >> extra_data: 'Microsoft-Windows-Security-Auditing' >> dstuser: '(no user)' >> system_name: 'WIN-CHUBILMO5N2' >> >> **Rule debugging: >> Trying rule: 6 - Generic template for all windows rules. >> *Rule 6 matched. >> *Trying child rules. >> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. >> Trying rule: 18100 - Group of windows rules. >> *Rule 18100 matched. >> *Trying child rules. >> Trying rule: 18101 - Windows informational event. >> Trying rule: 18102 - Windows warning event. >> Trying rule: 18104 - Windows audit success event. >> *Rule 18104 matched. >> *Trying child rules. >> Trying rule: 18116 - User account locked out (multiple login errors). >> Trying rule: 18118 - Windows audit log was cleared. >> Trying rule: 18110 - User account enabled or created. >> Trying rule: 18111 - User account changed. >> Trying rule: 18112 - User account disabled or deleted. >> Trying rule: 18113 - Windows Audit Policy changed. >> Trying rule: 18115 - General account database changed. >> Trying rule: 18117 - Windows is shutting down. >> Trying rule: 18114 - Group Account Changed >> Trying rule: 18127 - Computer account added/changed/deleted. >> Trying rule: 18140 - System time changed. >> Trying rule: 18142 - User account unlocked. >> Trying rule: 18200 - Group Account Created >> Trying rule: 18201 - Group Account Deleted >> Trying rule: 18107 - Windows Logon Success. >> Trying rule: 18109 - Session reconnected/disconnected to winstation. >> Trying rule: 18148 - Windows is starting up. >> Trying rule: 18149 - Windows User Logoff. >> Trying rule: 18181 - MS SQL Server Logon Success. >> >> **Phase 3: Completed filtering (rules). >> Rule id: '18104' >> Level: '0' >> Description: 'Windows audit success event.' >> >> Isn't it supposed it run through the ms_firewall.rules.xml file and give >> the output using >> <rule id="53652" level="8"> >> <if_sid>18104</if_sid> >> <id>^4956$</id> >> <description>Windows Firewall changed the active profile</description> >> <group>windows_firewall</group> >> </rule> >> >> Any idea on how to fix this? Rule hits when I copy it to msauth_rules.xml >> file. Any help would be appreciated. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
