<rule id="18180" level="5">
<if_sid>18105</if_sid>
<id>^18456$</id>
<group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
<description>MS SQL Server Logon Failure.</description>
</rule>
** Alert 1510854237.1318112395: - windows,win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,
2017 Nov 16 12:43:57 (SERVER) any->WinEvtLog
Rule: 18180 (level 5) -> 'MS SQL Server Logon Failure.'
User: (no user)
2017 Nov 16 12:43:56 WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER.DOMAIN.LOCAL: Login failed for user 'USERNAME'. Reason: Failed to open the explicitly specified database 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]
<rule id="18152" level="10" frequency="6" timeframe="240">
<if_matched_group>win_authentication_failed</if_matched_group>
<description>Multiple Windows Logon Failures.</description>
<group>authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,</group>
</rule>
<rule id="18180" level="1">
<if_sid>18105</if_sid>
<id>^18456$</id>
<match>BAD_NOT_BAD_USERNAME</match>
<group>pci_dss_10.2.4,pci_dss_10.2.5,</group>
<description>MS SQL Server Logon Failure by known 'not bad'</description>
</rule>
<rule id="18180+n" level="5">
<if_sid>18105</if_sid>
<id>^18456$</id>
<group>win_authentication_failure,</group>
<description>MS SQL Server Logon Failure.</description>
</rule>
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
<!-- Rewrite rule #18180 to narrow down to bad SQL account and not add the 'win_authentication_failed' group --> <rule id="18180" level="5" overwrite="yes">
<if_sid>18105</if_sid>
<id>^18456$</id>
<match>Login failed for user 'USERNAME'</match>
<group>pci_dss_10.2.4,pci_dss_10.2.5,</group>
<description>MS SQL Server Logon Failure for 'dpa' only</description>
</rule>
<!-- Add new rule to take the place of rule #18180 after matching our bad SQL account -->
<rule id="100150" level="5">
<if_sid>18105</if_sid>
<id>^18456$</id>
<group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
<description>MS SQL Server Logon Failure for 'dpa' only</description>
</rule>
2017/11/21 10:31:13 ossec-testrule: INFO: Reading local decoder file.
2017/11/21 10:31:13 ossec-testrule: INFO: Started (pid: 27437).
ossec-testrule: Type one log per line.
2017 Nov 16 12:43:56 WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER: Login failed for user 'USERNAME'. Reason: Failed to open the explicitly specified database 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]
**Phase 1: Completed pre-decoding.
full event: '2017 Nov 16 12:43:56 WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER: Login failed for user 'USERNAME'. Reason: Failed to open the explicitly specified database 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]'
hostname: 'SERVER'
program_name: '(null)'
log: '2017 Nov 16 12:43:56 WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER: Login failed for user 'USERNAME'. Reason: Failed to open the explicitly specified database 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '18456'
extra_data: 'MSSQLSERVER'
dstuser: '(no user)'
system_name: 'SERVER'
**Phase 3: Completed filtering (rules).
Rule id: '18180'
Level: '5'
Description: 'TEMP NOISE REDUCTION: MS SQL Server Logon Failure for 'USERNAME''
**Alert to be generated.
** Alert 1511375499.1421236953: - local,syslog,authentication_failures,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,
2017 Nov 22 13:31:39 (SERVER) any->WinEvtLog
Rule: 18152 (level 10) -> 'Multiple Windows Logon Failures.'
User: (no user)
2017 Nov 22 13:31:36 WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER: Login failed for user 'USERNAME'. Reason: Failed to open the explicitly specified database 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]
2017 Nov 22 13:31:36 WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER: Login failed for user 'USERNAME'. Reason: Failed to open the explicitly specified database 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]
2017 Nov 22 13:31:36 WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER: Login failed for user 'USERNAME'. Reason: Failed to open the explicitly specified database 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]
2017 Nov 22 13:31:36 WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER: Login failed for user 'USERNAME'. Reason: Failed to open the explicitly specified database 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]
2017 Nov 22 13:31:36 WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER: Login failed for user 'USERNAME'. Reason: Failed to open the explicitly specified database 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]
2017 Nov 22 13:31:36 WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER: Login failed for user 'USERNAME'. Reason: Failed to open the explicitly specified database 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]
2017 Nov 22 13:31:36 WinEvtLog: Application: AUDIT_FAILURE(18456): MSSQLSERVER: (no user): no domain: SERVER: Login failed for user 'USERNAME'. Reason: Failed to open the explicitly specified database 'DATABASE'. [CLIENT: nnn.nnn.nnn.nnn]
<rule id="18180" level="5" overwrite="yes">
<if_sid>18105</if_sid>
<id>^18456$</id>
<match>Login failed for user 'USER'</match>
<group>pci_dss_10.2.4,pci_dss_10.2.5,</group>
<description>TEMP NOISE REDUCTION: MS SQL Server Logon Failure for 'USER'</description>
</rule>
<rule id="100150" level="5">
<if_sid>18105</if_sid>
<id>^18456$</id>
<group>win_authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
<description>MS SQL Server Logon Failure - custom rule for #18180</description>
</rule>