OSSEC False Positives
2,643 views
Skip to first unread message
Chad
Jun 17, 2011, 2:42:17 PM6/17/11
to ossec-list
Hey guys, I know this has been covered at least a dozen times on the
board, but I can't for the life of me figure this out. I'm hoping
someone can help. I am trying to suppress alerts from "Multiple
Windows audit failure events." Below I have posted the entire alert:
Rule: 18153 fired (level 10) -> "Multiple Windows audit failure
events."
Portion of the log(s):
WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-
Auditing: (no user): no domain: ********.com: The Windows Filtering
Platform has blocked a packet. Application Information: Process
ID: 0 Application Name: - Network Information: Direction: %
%14592 Source Address: 172.22.128.3 Source Port: 2727
Destination Address: 255.255.255.255 Destination Port: 48002
Protocol: 17 Filter Information: Filter Run-Time ID: 65606
Layer Name: %%14597 Layer Run-Time ID: 13
I have written a rule, following instructions on the below URLs, to no
avail.
http://groups.google.com/group/ossec-list/browse_thread/thread/810b25f9e51ecde9/d6d870cc177b6ac0?lnk=gst&q=rule+18153#d6d870cc177b6ac0
http://groups.google.com/group/ossec-list/browse_thread/thread/9c8f8f9d78c7fa48/6e1b23b8ed873cb6?lnk=gst&q=rule+18153#6e1b23b8ed873cb6
Here is the rule I have written in local_rules currently:
<rule id="100001" level="0">
<if_sid>18105</if_sid>
<match>^Microsoft Filtering Platform has dropped a
packet</match>
<description>Ignore WFP packet drops</description>
</rule>
I've tried changing the match tags to <regex>, using <srcip>, etc.,
per the instructions from the links above, only to wind up with the
same results.
Next, I ran the event through ossec-logtest. Here are the results from
it:
WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-
Auditing: (no user): no domain: ******.com: The Windows Filtering
Platform has blocked a packet. Application Information: Process
ID: 0 Application Name: - Network Information:
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
Microsoft-Windows-Security-Auditing: (no user): no domain:
********.com: The Windows Filtering Platform has blocked a packet.
Application Information: Process ID: 0 Application
Name: - Network Information: '
hostname: 'ossec'
program_name: '(null)'
log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-
Windows-Security-Auditing: (no user): no domain: ********.com: The
Windows Filtering Platform has blocked a packet. Application
Information: Process ID: 0 Application Name: -
Network Information: '
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '5152'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: '******'
**Rule debugging:
Trying rule: 6 - Generic template for all windows rules.
*Rule 6 matched.
*Trying child rules.
Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
Trying rule: 18100 - Group of windows rules.
*Rule 18100 matched.
*Trying child rules.
Trying rule: 18101 - Windows informational event.
Trying rule: 18102 - Windows warning event.
Trying rule: 18104 - Windows audit success event.
Trying rule: 18103 - Windows error event.
Trying rule: 18105 - Windows audit failure event.
*Rule 18105 matched.
*Trying child rules.
Trying rule: 18120 - Windows login attempt (ignored). Duplicated.
Trying rule: 100001 - Ignore WFP packet drops
Trying rule: 18153 - Multiple Windows audit failure events.
Trying rule: 18106 - Windows Logon Failure.
Trying rule: 18139 - Windows DC Logon Failure.
Trying rule: 18180 - MS SQL Server Logon Failure.
Trying rule: 18108 - Failed attempt to perform a privileged
operation.
**Phase 3: Completed filtering (rules).
Rule id: '18105'
Level: '4'
Description: 'Windows audit failure event.'
**Alert to be generated.
I'm hoping someone can point me in the right direction on this. Thanks
in advance!
board, but I can't for the life of me figure this out. I'm hoping
someone can help. I am trying to suppress alerts from "Multiple
Windows audit failure events." Below I have posted the entire alert:
Rule: 18153 fired (level 10) -> "Multiple Windows audit failure
events."
Portion of the log(s):
WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-
Auditing: (no user): no domain: ********.com: The Windows Filtering
Platform has blocked a packet. Application Information: Process
ID: 0 Application Name: - Network Information: Direction: %
%14592 Source Address: 172.22.128.3 Source Port: 2727
Destination Address: 255.255.255.255 Destination Port: 48002
Protocol: 17 Filter Information: Filter Run-Time ID: 65606
Layer Name: %%14597 Layer Run-Time ID: 13
I have written a rule, following instructions on the below URLs, to no
avail.
http://groups.google.com/group/ossec-list/browse_thread/thread/810b25f9e51ecde9/d6d870cc177b6ac0?lnk=gst&q=rule+18153#d6d870cc177b6ac0
http://groups.google.com/group/ossec-list/browse_thread/thread/9c8f8f9d78c7fa48/6e1b23b8ed873cb6?lnk=gst&q=rule+18153#6e1b23b8ed873cb6
Here is the rule I have written in local_rules currently:
<rule id="100001" level="0">
<if_sid>18105</if_sid>
<match>^Microsoft Filtering Platform has dropped a
packet</match>
<description>Ignore WFP packet drops</description>
</rule>
I've tried changing the match tags to <regex>, using <srcip>, etc.,
per the instructions from the links above, only to wind up with the
same results.
Next, I ran the event through ossec-logtest. Here are the results from
it:
WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-
Auditing: (no user): no domain: ******.com: The Windows Filtering
Platform has blocked a packet. Application Information: Process
ID: 0 Application Name: - Network Information:
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
Microsoft-Windows-Security-Auditing: (no user): no domain:
********.com: The Windows Filtering Platform has blocked a packet.
Application Information: Process ID: 0 Application
Name: - Network Information: '
hostname: 'ossec'
program_name: '(null)'
log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-
Windows-Security-Auditing: (no user): no domain: ********.com: The
Windows Filtering Platform has blocked a packet. Application
Information: Process ID: 0 Application Name: -
Network Information: '
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '5152'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: '******'
**Rule debugging:
Trying rule: 6 - Generic template for all windows rules.
*Rule 6 matched.
*Trying child rules.
Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
Trying rule: 18100 - Group of windows rules.
*Rule 18100 matched.
*Trying child rules.
Trying rule: 18101 - Windows informational event.
Trying rule: 18102 - Windows warning event.
Trying rule: 18104 - Windows audit success event.
Trying rule: 18103 - Windows error event.
Trying rule: 18105 - Windows audit failure event.
*Rule 18105 matched.
*Trying child rules.
Trying rule: 18120 - Windows login attempt (ignored). Duplicated.
Trying rule: 100001 - Ignore WFP packet drops
Trying rule: 18153 - Multiple Windows audit failure events.
Trying rule: 18106 - Windows Logon Failure.
Trying rule: 18139 - Windows DC Logon Failure.
Trying rule: 18180 - MS SQL Server Logon Failure.
Trying rule: 18108 - Failed attempt to perform a privileged
operation.
**Phase 3: Completed filtering (rules).
Rule id: '18105'
Level: '4'
Description: 'Windows audit failure event.'
**Alert to be generated.
I'm hoping someone can point me in the right direction on this. Thanks
in advance!
Castle, Shane
Jun 17, 2011, 3:03:40 PM6/17/11
to ossec...@googlegroups.com
s/Microsoft/Windows/
--
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH
dan (ddp)
Jun 17, 2011, 3:15:21 PM6/17/11
to ossec...@googlegroups.com
Hi Chad,
<rule id="200000" level="1">
<if_sid>18105</if_sid>
<match>The Windows Filtering Platform has blocked a packet</match>
<description>Ignore WFP packet drops</description>
</rule>
<rule id="200000" level="1">
<if_sid>18105</if_sid>
<match>The Windows Filtering Platform has blocked a packet</match>
<description>Ignore WFP packet drops</description>
</rule>
Christopher Ritsen
Jun 22, 2011, 11:56:30 AM6/22/11
to ossec-list
This is my first experience adding an OSSEC rule, but it seems to have
worked. I was getting dozens of emails with similar audit failures to
the original post. This is a Windows Server 2008 system running SQL
Server 2008 Express only. I fixed it by adding an additional rule file
to ossec.conf and adding the following in a new file under /var/ossec/
rules/ that looks like this:
<group name="windows">
<rule id="7780" level="1">
<category>windows</category>
<if_sid>18105</if_sid>
<match>The windows Filtering Platform has blocked a packet</match>
<description></description>
</rule>
<rule id="7781" level="1">
<category>windows</category>
<if_sid>18105</if_sid>
<match>The Windows Filtering Platform has blocked a bind to a
local port</match>
<description></description>
</rule>
</group>
worked. I was getting dozens of emails with similar audit failures to
the original post. This is a Windows Server 2008 system running SQL
Server 2008 Express only. I fixed it by adding an additional rule file
to ossec.conf and adding the following in a new file under /var/ossec/
rules/ that looks like this:
<group name="windows">
<rule id="7780" level="1">
<category>windows</category>
<if_sid>18105</if_sid>
<match>The windows Filtering Platform has blocked a packet</match>
<description></description>
</rule>
<rule id="7781" level="1">
<category>windows</category>
<if_sid>18105</if_sid>
<match>The Windows Filtering Platform has blocked a bind to a
local port</match>
<description></description>
</rule>
</group>
Reply all
Reply to author
Forward
0 new messages