Composite Rule Not Firing

[Bruce Westbrook]

I'm having an issue getting a composite rule to trigger.  What's really throwing me is that it works just fine when testing with ossec-logtest, but it doesn't work live.

Here are the two rules in question:

  <rule id="100554" level="6">

    <if_sid>18101</if_sid>

    <id>^131$</id>

    <description>Server accepted initial RDP session request</description>

    <group>sysadmin,</group>

  </rule>

  <rule id="100560" level="15" frequency="3" timeframe="180">

    <if_matched_sid>100554</if_matched_sid>

    <description>ALERT: Potential RDP brute force attack</description>

    <group>sysadmin,recon,attacks,</group>

  </rule>

...and here is a sample log entry:

2019 Dec 20 11:28:59 WinEvtLog: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational: INFORMATION(131): Microsoft-Windows-RemoteDesktopServices-RdpCoreTS: NETWORK SERVICE: NT AUTHORITY: server.domain: The server accepted a new TCP connection from client 10.104.248.199:57714.

Using ossec-logtest I can enter this log entry and on the fifth time it fires off rule #100560 just as expected.  But when I make those same five logon attempts to a live server, it only ever fires rule #100554.  I've tried this up to 20 times in under 2 minutes, well within the rule timeframe, and it still never fires the composite rule alert, only 100554.

I have quite a few other composite rules that I've written over the past few years and don't have this issue.  I just don't see what the problem is with this one or why ossec-logtest shows it working but it never actually works in a live situation.

I'm running OSSEC HIDS v2.9.3 on Linux, with the agents on Windows 2012+ servers.

Any thoughts?

[Bruce Westbrook]

*bump*

Anyone?

[dan (ddp)]

On Fri, Dec 20, 2019 at 12:15 PM Bruce Westbrook <bwest...@gmail.com> wrote:
>
> I'm having an issue getting a composite rule to trigger. What's really throwing me is that it works just fine when testing with ossec-logtest, but it doesn't work live.
>
> Here are the two rules in question:
>
> <rule id="100554" level="6">
> <if_sid>18101</if_sid>
> <id>^131$</id>
> <description>Server accepted initial RDP session request</description>
> <group>sysadmin,</group>
> </rule>
>
> <rule id="100560" level="15" frequency="3" timeframe="180">
> <if_matched_sid>100554</if_matched_sid>
> <description>ALERT: Potential RDP brute force attack</description>
> <group>sysadmin,recon,attacks,</group>
> </rule>
>

This seems like a silly idea, but it's the only one I have at the moment:

<rule id="100554" level="6">
<if_sid>18101</if_sid>
<id>^131$</id>
<description>Server accepted initial RDP session request</description>
<group>sysadmin,</group>
</rule>

<rule id="100560" level="15" frequency="3" timeframe="180">

<if_matched_sid>18101</if_matched_sid>
<id>^131$</id>

<description>ALERT: Potential RDP brute force attack</description>
<group>sysadmin,recon,attacks,</group>
</rule>

I'll try to look into it more when I find some time.

>
> ...and here is a sample log entry:
>
> 2019 Dec 20 11:28:59 WinEvtLog: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational: INFORMATION(131): Microsoft-Windows-RemoteDesktopServices-RdpCoreTS: NETWORK SERVICE: NT AUTHORITY: server.domain: The server accepted a new TCP connection from client 10.104.248.199:57714.
>
>
> Using ossec-logtest I can enter this log entry and on the fifth time it fires off rule #100560 just as expected. But when I make those same five logon attempts to a live server, it only ever fires rule #100554. I've tried this up to 20 times in under 2 minutes, well within the rule timeframe, and it still never fires the composite rule alert, only 100554.
>
> I have quite a few other composite rules that I've written over the past few years and don't have this issue. I just don't see what the problem is with this one or why ossec-logtest shows it working but it never actually works in a live situation.
>
> I'm running OSSEC HIDS v2.9.3 on Linux, with the agents on Windows 2012+ servers.
>
> Any thoughts?
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/db6d29a9-ec7d-4577-9ce6-d7ed445d8862%40googlegroups.com.

[Bruce Westbrook]

Thanks Dan.

I tried your suggestion but no joy.  I was still able to trigger rule #100554 nine times in less than 1 minute, but the composite rule still never fired.  Interestingly ossec-logtest did NOT trigger it either.  When I put my original composite rule back as well though, ossec-logtest did trigger that just fine.  So I left them both in place, still never fires accept for mine with ossec-logtest.

Here are the rules as they are now, including your suggestion:

  <rule id="100554" level="6">

    <if_sid>18101</if_sid>

    <id>^131$</id>

    <description>Server accepted initial RDP session request</description>

    <group>sysadmin,</group>

  </rule>

  <rule id="100560" level="15" frequency="3" timeframe="180">

    <if_matched_sid>100554</if_matched_sid>

    <description>ALERT: Potential RDP brute force attack</description>

    <group>recon,attacks,</group>

  </rule>

  <rule id="100561" level="15" frequency="3" timeframe="180">

    <if_matched_sid>18101</if_matched_sid>

    <id>^131$</id>

    <description>ALERT: Potential RDP brute force attack</description>

    <group>sysadmin,recon,attacks,</group>

  </rule>

And just so it's said, I am doing an "ossec-control restart" when I change the rules so they get applied.  :-)

Thanks for taking a look at this head-scratcher.

> To unsubscribe from this group and stop receiving emails from it, send an email to ossec...@googlegroups.com.