how to exclude logon type 3 events
599 views
Skip to first unread message
Aaron Bliss
Nov 27, 2007, 10:37:41 AM11/27/07
to ossec...@googlegroups.com
Hi everyone, is it possible to configure the ossec
server to ignore successful Logon Type: 3 events? Thanks for your help.
2007 Nov 27 10:26:24 Rule Id: 18107 level: 3
Location: (test1) 137.21.8.90->WinEvtLog
Windows Logon Success.WinEvtLog: Security: AUDIT_SUCCESS(540): Security: IT Support Services: TEST1: TEST1: Successful Network Logon: User Name: IT Support Services Domain: TEST1 Logon ID: (0x0,0xEDD25CB) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: DUMMY107 Logon GUID: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 137.21.8.123 Source Port: 0
Aaron
2007 Nov 27 10:26:24 Rule Id: 18107 level: 3
Location: (test1) 137.21.8.90->WinEvtLog
Windows Logon Success.WinEvtLog: Security: AUDIT_SUCCESS(540): Security: IT Support Services: TEST1: TEST1: Successful Network Logon: User Name: IT Support Services Domain: TEST1 Logon ID: (0x0,0xEDD25CB) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: DUMMY107 Logon GUID: - Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 137.21.8.123 Source Port: 0
Aaron
Peter M. Abraham
Nov 27, 2007, 5:07:38 PM11/27/07
to ossec-list
Greetings Aaron:
Yes, just copy the rule elements to /var/ossec/rules/local_rules.xml
and use the overwrite="yes" feature to overwrite the rule.
Or if the rule would be a subset, then copy the main rule which
triggers alerts to local_rules.xml, set the level low enough or email
to ignore, and then create separate rules for what you need
notifications on.
The Window login rules are in /var/ossec/rules/msauth_rules.xml
Based on the information you provided, rule 18107 was triggered. That
is in the msauth_rules.xml file as
<rule id="18107" level="3">
<if_sid>18104</if_sid>
<id>^528|^540|^672|^673</id>
<description>Windows Logon Success.</description>
<group>authentication_success,</group>
</rule>
Daniel might be able to answer if you could do the equivalent of an if
then else (i.e. if <match>Logon Type: 3</match> then ignore, else
report), but the above may be a starting point for you.
Thank you.
Yes, just copy the rule elements to /var/ossec/rules/local_rules.xml
and use the overwrite="yes" feature to overwrite the rule.
Or if the rule would be a subset, then copy the main rule which
triggers alerts to local_rules.xml, set the level low enough or email
to ignore, and then create separate rules for what you need
notifications on.
The Window login rules are in /var/ossec/rules/msauth_rules.xml
Based on the information you provided, rule 18107 was triggered. That
is in the msauth_rules.xml file as
<rule id="18107" level="3">
<if_sid>18104</if_sid>
<id>^528|^540|^672|^673</id>
<description>Windows Logon Success.</description>
<group>authentication_success,</group>
</rule>
Daniel might be able to answer if you could do the equivalent of an if
then else (i.e. if <match>Logon Type: 3</match> then ignore, else
report), but the above may be a starting point for you.
Thank you.
Daniel Cid
Nov 28, 2007, 10:51:52 PM11/28/07
to ossec...@googlegroups.com
Hi Aaron,
Peter's suggestion is pretty good, but you don't need to overwrite the
rule for it. Just
adding the following rule to local_rules.xml should solve your problem.
<rule id="100100" level="0">
<if_sid>18107</if_sid>
<match>Logon Type: 3</match>
<description>Windows Logon type 3 ignored.</description>
</rule>
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Reply all
Reply to author
Forward
0 new messages