On Thu, Feb 21, 2019 at 10:12 AM FitLikeAGlove
<[email protected]> wrote:
>
>
>
> Hello, I'm getting a massive influx of emails for one rule and I would like
> to turn it off or overwrite it.
>
> Alert output.
>
>
> Received From: (HOST) 192.168.1.206->WinEvtLog
> Rule: 18103 fired (level 5) -> "Windows error event."
> User: SYSTEM
> Portion of the log(s):
>
>
> 2019 Feb 21 04:11:19 WinEvtLog: System: ERROR(36887): Schannel: SYSTEM: NT
> AUTHORITY: HOST.Domain.tld: A fatal alert was received from the remote
> endpoint. The TLS protocol defined fatal alert code is 70.
> type: System
>
> I tried adding a rule to match this but it did not work. Using this as a
> template -->
> https://groups.google.com/d/msg/ossec-list/fsHVu8w-alI/ylDwKXkN3CMJ
> I Added it in the etc/rules/local_rules.xml folder of the manager under the
> default group "<group name="local,syslog,sshd,">"
>
> <rule id="101013" level="2" frequency="10" timeframe="1600">
> <if_matched_sid>18154</if_matched_sid>
> <match>WinEvtLog: System: ERROR(36887):</match>
This will never match. WinEvtLog isn't part of the log message, it's
meta-data. See the ossec-logtest output below.
> <description>turn down the noise on this event</description>
> </rule>
>
> Can anyone let me know where I'm wrong? I never created a custom rule so I'm
> sure I'm doing something wrong here.
>
This totally ignores that alert:
<rule id="300003" level="0">
<if_sid>18103</if_sid>
<description>ignore</description>
</rule>
The rule you posted creates an alert if 12 18103 alerts are triggered
within 1600 seconds.
Here's the output of ossec-logtest with my rule in place:
**Phase 1: Completed pre-decoding.
full event: '2019 Feb 21 04:11:19 WinEvtLog: System:
ERROR(36887): Schannel: SYSTEM: NT AUTHORITY: HOST.Domain.tld: A fatal
alert was received from the remote endpoint. The TLS protocol defined
fatal alert code is 70. type: System'
hostname: 'ix'
program_name: 'WinEvtLog'
log: 'System: ERROR(36887): Schannel: SYSTEM: NT AUTHORITY:
HOST.Domain.tld: A fatal alert was received from the remote endpoint.
The TLS protocol defined fatal alert code is 70. type: System'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'ERROR'
id: '36887'
extra_data: 'Schannel'
dstuser: 'SYSTEM'
system_name: 'HOST.Domain.tld'
**Phase 3: Completed filtering (rules).
Rule id: '300003'
Level: '0'
Description: 'ignore'
As you can see, the 'log:' line doesn't include WinEvtLog. The 'log:'
field is what '<match>' and '<regex>' will compare against.
You should be able to use '<program_name>WinEvtLog</program_name>' to
restrict it though.
> Thanks.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
