Windows Agent and local_rules.xml
Simon Slaytor
Hi Folks,
First message to the list, apologies if this has been covered before but my Google fu is obviously weak as I cannot find the answer.
I have a central OSSEC server currently v2.4.1 on Ubuntu and a number of remote agents, all 2.4.1 and everything is working well.
I now want to suppress some rogue alerts generated by a couple of ‘Windows 2003 Servers/Agents’.
After Googling I understand that I need to:
Modify the ‘local agent’ copy of the local_rules.xml file adding a new customer rule as follows:
<group name="local">
<rule id="100101" level="0">
<if_sid>18153</if_sid>
<match>wmiprvse.exe</match>
<description>Events ignored</description>
</rule>
</group>
Ok so my first problem, there is no ‘Local_rules.xml’ file on the Windows agent, undeterred I have created one and placed in the root of the ossec-agent folder, is this the correct thing to do?
I have then added the following to the ossec.conf configuration file on the agent, just before, i.e. within the ‘default’ </ossec_config> and restarted the agent.
<rules>
<include>local_rules.xml</include>
</rules>
The agent runs ok, but I see no entry relating to local_rules.xml in the log file and the alerts are still being generated.
Any pointers as to what I’m doing wrong would be greatly appreciated.
Simon
Charles Profitt
BrainBench Certified - (Master)Microsoft Security | (Master)Storage Area Networks Concepts | (Master)Microsoft Vista Desktop Administration | (Master)Macintosh OS X 10.4 Desktop Administration
----------------------------------------------------------------------
νόησις νοήσεως - nóesis noéseos
From: ossec...@googlegroups.com [ossec...@googlegroups.com] On Behalf Of Simon Slaytor [simon_...@pokerstars.com]
Sent: Thursday, December 02, 2010 8:20 AM
To: ossec...@ossec.net
Subject: [ossec-list] Windows Agent and local_rules.xml
This email message and any attachments may contain confidential information. If you are not the intended recipient, you are prohibited from using the information in any way, including but not limited to disclosure of, copying, forwarding or acting in reliance on the contents. If you have received this email by error, please immediately notify me by return email and delete it from your email system. Thank you.
dan (ddp)
The agents do not have copies of the rules. The local_rules.xml you
need to populate is on the manager.
The log messages from the agents are sent to the manager, the manager
analyzes the log message.
Simon Slaytor
Thanks Charles,
I’ve added the following to my central server local_rules.xml file, directly following the SSH from 1.1.1.1 example, and restarted OSSEC @ approx 14:11 today (2010/12/02 14:11:34 ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning...).
<rule id="100002" level="0">
<if_sid>18153</if_sid>
<match>wmiprvse.exe</match>
<description>Ignore Events</description>
</rule>
I’ve just had through the following alert from the OSSEC server:
OSSEC HIDS Notification.
2010 Dec 02 16:06:39
Received From: (XX-XXX-XX) XX.XX.XX.100->WinEvtLog
Rule: 18153 fired (level 10) -> "Multiple Windows audit failure events."
Portion of the log(s):
WinEvtLog: Security: AUDIT_FAILURE(560): Security: NETWORK SERVICE: NT AUTHORITY: XX-XXX-XX: Object Open: Object Server: Security Object Type: File Object Name: \Device\00000079 Handle ID: - Operation ID: {0,1xxx} Process ID: 6660 Image File Name: C:\WINDOWS\system32\wbem\wmiprvse.exe Primary User Name: NETWORK SERVICE Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0xxxx) Client User Name: NETWORK SERVICE Client Domain: NT AUTHORITY Client Logon ID: (0x0,0x3E4) Accesses: %%1538 %%1541 %%4416 %%4419 %%4423 Privileges: - Restricted Sid Count: 0 Access Mask: 0x120089
So adding this to the server file doesn’t appear to be working either. L
dan (ddp)
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Security: AUDIT_FAILURE(560): Security:
NETWORK SERVICE: NT AUTHORITY: XX-XXX-XX: Object Open:
Object Server: Security Object Type: File
Object Name: \Device\00000079 Handle ID: -
Operation ID: {0,1xxx} Process ID: 6660
Image File Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
Primary User Name: NETWORK SERVICE Primary
Domain: NT AUTHORITY Primary Logon ID: (0x0,0xxxx)
Client User Name: NETWORK SERVICE Client
Domain: NT AUTHORITY Client Logon ID: (0x0,0x3E4)
Accesses: %%1538 %%1541
%%4416
%%4419
%%4423
Privileges: - Restricted Sid Count: 0 Access Mask:
0x120089'
hostname: 'ix'
program_name: '(null)'
log: 'WinEvtLog: Security: AUDIT_FAILURE(560): Security:
NETWORK SERVICE: NT AUTHORITY: XX-XXX-XX: Object Open:
Object Server: Security Object Type: File
Object Name: \Device\00000079 Handle ID: -
Operation ID: {0,1xxx} Process ID: 6660
Image File Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
Primary User Name: NETWORK SERVICE Primary
Domain: NT AUTHORITY Primary Logon ID: (0x0,0xxxx)
Client User Name: NETWORK SERVICE Client
Domain: NT AUTHORITY Client Logon ID: (0x0,0x3E4)
Accesses: %%1538 %%1541
%%4416
%%4419
%%4423
Privileges: - Restricted Sid Count: 0 Access Mask:
0x120089'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '560'
extra_data: 'Security'
dstuser: 'NETWORK SERVICE'
system_name: 'XX-XXX-XX'
**Phase 3: Completed filtering (rules).
Rule id: '18105'
Level: '4'
Description: 'Windows audit failure event.'
**Alert to be generated.
Write a rule to ignore those events, and maybe the 18153's won't fire.