I'm having an issue getting a composite rule to trigger. What's really
throwing me is that it works just fine when testing with ossec-logtest, but
it doesn't work live.
Here are the two rules in question:
<rule id="100554" level="6">
<if_sid>18101</if_sid>
<id>^131$</id>
<description>Server accepted initial RDP session request</description>
<group>sysadmin,</group>
</rule>
<rule id="100560" level="15" frequency="3" timeframe="180">
<if_matched_sid>100554</if_matched_sid>
<description>ALERT: Potential RDP brute force attack</description>
<group>sysadmin,recon,attacks,</group>
</rule>
...and here is a sample log entry:
2019 Dec 20 11:28:59 WinEvtLog:
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational:
INFORMATION(131): Microsoft-Windows-RemoteDesktopServices-RdpCoreTS:
NETWORK SERVICE: NT AUTHORITY: server.domain: The server accepted a new TCP
connection from client 10.104.248.199:57714.
Using ossec-logtest I can enter this log entry and on the fifth time it
fires off rule #100560 just as expected. But when I make those same five
logon attempts to a live server, it only ever fires rule #100554. I've
tried this up to 20 times in under 2 minutes, well within the rule
timeframe, and it still never fires the composite rule alert, only 100554.
I have quite a few other composite rules that I've written over the past
few years and don't have this issue. I just don't see what the problem is
with this one or why ossec-logtest shows it working but it never actually
works in a live situation.
I'm running OSSEC HIDS v2.9.3 on Linux, with the agents on Windows 2012+
servers.
Any thoughts?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/db6d29a9-ec7d-4577-9ce6-d7ed445d8862%40googlegroups.com.
