Re: [ossec-list] \Device\NetbiosSmb and Audit Failure

297 views
Skip to first unread message

Daniel Cid

unread,
Oct 8, 2009, 11:09:57 AM10/8/09
to ossec...@googlegroups.com
Hi Noel,

I don't know exactly what this eventr means, but if you want to ignore
those on OSSEC, try
this rule:

<rule id="100356" level="0">
<if_sid>18105</if_sid>
<id>560</id>
<match>\Device\NetbiosSmb</match>
<description>Ignoring event</description>
</rule>

In the <match> field you can ignore more parts of the event too.


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On Tue, Oct 6, 2009 at 9:51 AM, Noel Mulryan <noelm...@gmail.com> wrote:
> Hi,
>
> I have installed OSSEC as part of PCI DSS requirements and I must say it is
> an excellent piece of software.
>
> OSSEC is running on a Debian box which is only running OSSEC. The rest of
> the environment is a windows only environment.
>
> Full auditing is enabled on all machines.
>
> I keep getting the following log entry coming from all the windows boxes
> regarding \Device\NetbiosSmb and Audit Failure.
>
> 2009 Oct 06 13:31:23 Rule Id: 18105 level: 4
> Location: (MiaFTP) 10.30.10.203->WinEvtLog
> Windows audit failure event. WinEvtLog: Security: AUDIT_FAILURE(560):
> Security: LOCAL SERVICE: NT AUTHORITY: MIAFTP: Object Open: Object Server:
> Security Object Type: File Object Name: \Device\NetbiosSmb Handle ID: -
> Operation ID: {0,1423794941} Process ID: 780 Image File Name:
> C:\WINDOWS\system32\svchost.exe Primary User Name: LOCAL SERVICE Primary
> Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E5) Client User Name: -
> Client Domain: - Client Logon ID: - Accesses: %%1541 %%4416 %%4417
> Privileges: - Restricted Sid Count: 0 Access Mask: 0x100003
>
> The following settings in Group Policy have been set for all servers:
>
> Turn off the security option "Audit the access of global system objects"
>
> Turn off the security option "Audit the use of the backup and restore
> privilege".
>
> Indexing service disabled and auditing turned off for it.
>
> Does anyone know how to either ignore this event or stop it from being
> generated?
>
> Also does anyone have extra windows rules that I could apply (all windows
> server 2003 used)?
>
> Thanks,
>
> Noel
>
>

Reply all
Reply to author
Forward
Message has been deleted
Message has been deleted
0 new messages