Attack_rules ex: 40501 in large deployments
75 views
Skip to first unread message
Franky4fngrs
Nov 16, 2011, 12:52:38 PM11/16/11
to ossec-list
Hello,
I have an ossec deployment with a little over 700 agents
communicating. The issue I am having is that rules such as 40501
report a large number of false positives. There are a large number
of brute force attacks across the environment at any given time.
Whenever a legitimate user logs in the alert is triggered. I have not
seen an obvious (to me) way to modify the rules, or groups to address
this issue. Has anyone tackled this issue before?
Thanks
I have an ossec deployment with a little over 700 agents
communicating. The issue I am having is that rules such as 40501
report a large number of false positives. There are a large number
of brute force attacks across the environment at any given time.
Whenever a legitimate user logs in the alert is triggered. I have not
seen an obvious (to me) way to modify the rules, or groups to address
this issue. Has anyone tackled this issue before?
Thanks
Yi-Huan Chan (Hubert)
Nov 30, 2011, 1:19:00 AM11/30/11
to ossec...@googlegroups.com
I'm not quite sure for using <same_source_ip /> in this case.
For the false positive, the source ip of brute force attack and the
adduser might be from different hosts.
Dustin Lenz
Mar 23, 2016, 12:29:43 PM3/23/16
to ossec-list
Resurrecting this one from the dead. This rule is a problem for me. I am seeing many false positives (FP). Here is one such example:
Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root 192.168.1.50 (192.168.1.50) 52209Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root 192.168.1.50 (192.168.1.50) 522092016 Mar 17 09:49:15 WinEvtLog: Security: AUDIT_SUCCESS(4722): Microsoft-Windows-Security-Auditing: (no user): no domain: WINDOWSHOST.domain-internal.com.internal: A user account was enabled. Subject: Security ID: S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX Account Name: username Account Domain: DOMAIN-INTERNAL Logon ID: 0x2xxXXXX Target Account: Security ID: S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX Account Name: VM01XXXX-XXXXXX$ Account Domain: DOMAIN-INTERNAL
As you can see this is an obvious FP.
Can someone weigh in here on how we can remediate these issues? Some days we see 100+ FP's.
Thanks in advance,
Dustin
dan (ddp)
Mar 23, 2016, 12:32:37 PM3/23/16
to ossec...@googlegroups.com
On Wed, Mar 23, 2016 at 12:23 PM, Dustin Lenz <dus...@netjitsu.net> wrote:
> Resurrecting this one from the dead. This rule is a problem for me. I am
> seeing many false positives (FP). Here is one such example:
>
>>> Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root
>>> 192.168.1.50 (192.168.1.50) 52209
>>>
>>> Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root
>>> 192.168.1.50 (192.168.1.50) 52209
>>>
>>> 2016 Mar 17 09:49:15 WinEvtLog: Security: AUDIT_SUCCESS(4722):
>>> Microsoft-Windows-Security-Auditing: (no user): no domain:
>>> WINDOWSHOST.domain-internal.com.internal: A user account was enabled.
>>> Subject: Security ID: S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX
>>> Account Name: username Account Domain: DOMAIN-INTERNAL Logon ID: 0x2xxXXXX
>>> Target Account: Security ID: S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX
>>> Account Name: VM01XXXX-XXXXXX$ Account Domain: DOMAIN-INTERNAL
>
>
> As you can see this is an obvious FP.
>
> Can someone weigh in here on how we can remediate these issues? Some days
> we see 100+ FP's.
>
Disable the rule?
> Resurrecting this one from the dead. This rule is a problem for me. I am
> seeing many false positives (FP). Here is one such example:
>
>>> Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root
>>> 192.168.1.50 (192.168.1.50) 52209
>>>
>>> Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root
>>> 192.168.1.50 (192.168.1.50) 52209
>>>
>>> 2016 Mar 17 09:49:15 WinEvtLog: Security: AUDIT_SUCCESS(4722):
>>> Microsoft-Windows-Security-Auditing: (no user): no domain:
>>> WINDOWSHOST.domain-internal.com.internal: A user account was enabled.
>>> Subject: Security ID: S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX
>>> Account Name: username Account Domain: DOMAIN-INTERNAL Logon ID: 0x2xxXXXX
>>> Target Account: Security ID: S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX
>>> Account Name: VM01XXXX-XXXXXX$ Account Domain: DOMAIN-INTERNAL
>
>
> As you can see this is an obvious FP.
>
> Can someone weigh in here on how we can remediate these issues? Some days
> we see 100+ FP's.
>
I think you could set it to only alert if the logs have the same srcip
(not positive though).
> Thanks in advance,
>
> Dustin
>
> On Wednesday, November 16, 2011 at 9:52:38 AM UTC-8, Franky4fngrs wrote:
>>
>> Hello,
>>
>> I have an ossec deployment with a little over 700 agents
>> communicating. The issue I am having is that rules such as 40501
>> report a large number of false positives. There are a large number
>> of brute force attacks across the environment at any given time.
>> Whenever a legitimate user logs in the alert is triggered. I have not
>> seen an obvious (to me) way to modify the rules, or groups to address
>> this issue. Has anyone tackled this issue before?
>>
>> Thanks
>>
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Dustin Lenz
May 10, 2016, 12:07:10 PM5/10/16
to ossec...@googlegroups.com
HI,
> I think you could set it to only alert if the logs have the same srcip
How would one go about this?
Thanks,
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/SxLy8GcBGVM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
Regards,
Dustin
dan (ddp)
May 10, 2016, 12:09:19 PM5/10/16
to ossec...@googlegroups.com
On Tue, May 10, 2016 at 12:07 PM, Dustin Lenz <dus...@netjitsu.net> wrote:
> HI,
>
>> I think you could set it to only alert if the logs have the same srcip
>
> How would one go about this?
>
Try setting <same_source_ip /> in the rule.
> HI,
>
>> I think you could set it to only alert if the logs have the same srcip
>
> How would one go about this?
>
Reply all
Reply to author
Forward
0 new messages