Thanks Dan.
I tried your suggestion but no joy. I was still able to trigger rule
#100554 nine times in less than 1 minute, but the composite rule still
never fired. Interestingly ossec-logtest did NOT trigger it either. When
I put my original composite rule back as well though, ossec-logtest did
trigger that just fine. So I left them both in place, still never fires
accept for mine with ossec-logtest.
Here are the rules as they are now, including your suggestion:
<rule id="100554" level="6">
<if_sid>18101</if_sid>
<id>^131$</id>
<description>Server accepted initial RDP session request</description>
<group>sysadmin,</group>
</rule>
<rule id="100560" level="15" frequency="3" timeframe="180">
<if_matched_sid>100554</if_matched_sid>
<description>ALERT: Potential RDP brute force attack</description>
<group>recon,attacks,</group>
</rule>
<rule id="100561" level="15" frequency="3" timeframe="180">
<if_matched_sid>18101</if_matched_sid>
<id>^131$</id>
<description>ALERT: Potential RDP brute force attack</description>
<group>sysadmin,recon,attacks,</group>
</rule>
And just so it's said, I am doing an "*ossec-control restart*" when I
change the rules so they get applied. :-)
Thanks for taking a look at this head-scratcher.
On Thursday, January 9, 2020 at 9:07:48 AM UTC-5, dan (ddpbsd) wrote:
>
> On Fri, Dec 20, 2019 at 12:15 PM Bruce Westbrook <[email protected]
> <javascript:>> wrote:
> >
> > I'm having an issue getting a composite rule to trigger. What's really
> throwing me is that it works just fine when testing with ossec-logtest, but
> it doesn't work live.
> >
> > Here are the two rules in question:
> >
> > <rule id="100554" level="6">
> > <if_sid>18101</if_sid>
> > <id>^131$</id>
> > <description>Server accepted initial RDP session
> request</description>
> > <group>sysadmin,</group>
> > </rule>
> >
> > <rule id="100560" level="15" frequency="3" timeframe="180">
> > <if_matched_sid>100554</if_matched_sid>
> > <description>ALERT: Potential RDP brute force attack</description>
> > <group>sysadmin,recon,attacks,</group>
> > </rule>
> >
>
> This seems like a silly idea, but it's the only one I have at the moment:
> <rule id="100554" level="6">
> <if_sid>18101</if_sid>
> <id>^131$</id>
> <description>Server accepted initial RDP session request</description>
> <group>sysadmin,</group>
> </rule>
>
> <rule id="100560" level="15" frequency="3" timeframe="180">
> <if_matched_sid>18101</if_matched_sid>
> <id>^131$</id>
> <description>ALERT: Potential RDP brute force attack</description>
> <group>sysadmin,recon,attacks,</group>
> </rule>
>
> I'll try to look into it more when I find some time.
>
> >
> > ...and here is a sample log entry:
> >
> > 2019 Dec 20 11:28:59 WinEvtLog:
> Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational:
> INFORMATION(131): Microsoft-Windows-RemoteDesktopServices-RdpCoreTS:
> NETWORK SERVICE: NT AUTHORITY: server.domain: The server accepted a new TCP
> connection from client 10.104.248.199:57714.
> >
> >
> > Using ossec-logtest I can enter this log entry and on the fifth time it
> fires off rule #100560 just as expected. But when I make those same five
> logon attempts to a live server, it only ever fires rule #100554. I've
> tried this up to 20 times in under 2 minutes, well within the rule
> timeframe, and it still never fires the composite rule alert, only 100554.
> >
> > I have quite a few other composite rules that I've written over the past
> few years and don't have this issue. I just don't see what the problem is
> with this one or why ossec-logtest shows it working but it never actually
> works in a live situation.
> >
> > I'm running OSSEC HIDS v2.9.3 on Linux, with the agents on Windows 2012+
> servers.
> >
> > Any thoughts?
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected] <javascript:>.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/ossec-list/db6d29a9-ec7d-4577-9ce6-d7ed445d8862%40googlegroups.com.
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/f19d2857-2da1-4799-8981-e4da400b61fc%40googlegroups.com.
