Ignoring False Positives
Carl Hill
I tried creating the following rule to prevent sid 18153 from firing for the one IP in question.
<rule id="100100" level="0">
<if_sid>18153</if_sid>
<srcip>10.10.10.10</srcip>
<description>Events ignored</description>
</rule>
I have tried replacing the srcip tags with match. The rule is nestled within the <group name="local,syslog,"></group><!--SYSLOG,LOCAL--> tags. I have made sure I have restarted ossec on the server after every change but the alerts flow in.
Any suggestions?
Thank you,
Carl
This message is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential or proprietary. If the reader of this e-mail is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient, any dissemination, publication or copying of this e-mail is strictly prohibited. If you have received this message in error, please notify us immediately by return e-mail and destroy and delete all copies of the message.
Internet communications cannot be guaranteed to be secure or error-free as information can be intercepted, corrupted, lost, arrive late or contain viruses. The sender does not accept any responsibility for any loss, disruption or damage to your data or computer system that may occur while using data contained in, or transmitted with, this e-mail.
--------------
Ce courrier ?lectronique peut renfermer des renseignements privil?gi?s et confidentiels ? l'intention exclusive du destinataire. Si vous n'?tes pas le destinataire, ni la personne charg?e de lui transmettre ce message, vous n'avez aucun droit d'utiliser cette information, de la copier, de la distribuer ou de la diffuser. Si vous avez re?u ce courrier ?lectronique par erreur, veuillez en aviser l'exp?diteur imm?diatement par courriel et d?truire ce message ainsi que les fichiers en annexe.
Il est impossible de garantir que les donn?es transmises sur Internet sont s?curitaires et exemptes d'erreurs puisqu'elles ne sont pas enti?rement prot?g?es contre l'interception, la modification, la perte, les retards ou les virus. L'exp?diteur n'assume aucune responsabilit? quant ? la perte, ? l'interception ou ? la modification de vos renseignements, ainsi qu'? tout dommage caus? ? votre ordinateur, pouvant r?sulter de la transmission de ce courriel.
Daniel Cid
Your rule seems correct, but it will only fire if the source ip was
decoded for that event. If it was
not, you probably need to use <match> or <regex> for it to work. The
best way to test your
rule is by using the logtest program:
http://www.ossec.net/dcid/?p=136
If you can try it out and paste the output for us, we can help with the rule.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Daniel Cid
Your rule seems correct, but it will only fire if the source ip was
decoded for that event. If it was
not, you probably need to use <match> or <regex> for it to work. The
best way to test your
rule is by using the logtest program:
http://www.ossec.net/dcid/?p=136
If you can try it out and paste the output for us, we can help with the rule.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Dec 5, 2008 at 6:54 PM, Carl Hill <CH...@mec.ca> wrote:
>
Carl Hill
I ran logtest and put in the first section of the output from 18153. This is what I got:
]# /var/ossec/bin/ossec-logtest
2008/12/08 10:36:43 ossec-testrule: INFO: Started (pid: 18843).
ossec-testrule: Type one log per line.
2008 Dec 08 08:21:49 (MBP) 10.10.10.10->WinEvtLog
Rule: 18153 (level 10) -> 'Multiple Windows audit failure events.'
Src IP: (none)
User: SYSTEM
WinEvtLog: Security: AUDIT_FAILURE(861): Security: SYSTEM: NT AUTHORITY: MBP: The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\Program Files\Syslogd\Syslogd_Service.exe Process identifier: 1988 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: TCP Port number: 3300 Allowed: No User notified: No
**Phase 1: Completed pre-decoding.
full event: '2008 Dec 08 08:21:49 (MBP) 10.10.10.10->WinEvtLog'
hostname: 'localhost'
program_name: '(null)'
log: '2008 Dec 08 08:21:49 (MBP) 10.10.10.10->WinEvtLog'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: 'Rule: 18153 (level 10) -> 'Multiple Windows audit failure events.''
hostname: 'localhost'
program_name: '(null)'
log: 'Rule: 18153 (level 10) -> 'Multiple Windows audit failure events.''
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
**Phase 1: Completed pre-decoding.
full event: 'Src IP: (none)'
hostname: 'localhost'
program_name: '(null)'
log: 'Src IP: (none)'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: 'User: SYSTEM'
hostname: 'localhost'
program_name: '(null)'
log: 'User: SYSTEM'
**Phase 2: Completed decoding.
No decoder matched.
The full output from rule 18153 as found in the alerts log for this event is:
** Alert 1228742509.3057985: mail - windows,
2008 Dec 08 08:21:49 (MBP) 10.10.10.10->WinEvtLog
Rule: 18153 (level 10) -> 'Multiple Windows audit failure events.'
Src IP: (none)
User: SYSTEM
WinEvtLog: Security: AUDIT_FAILURE(861): Security: SYSTEM: NT AUTHORITY: MBP: The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\Program Files\Syslogd\Syslogd_Service.exe Process identifier: 1988 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: TCP Port number: 3300 Allowed: No User notified: No
WinEvtLog: Security: AUDIT_FAILURE(861): Security: SYSTEM: NT AUTHORITY: MBP: The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\Program Files\IBM\Director\cimom\bin\cimlistener.exe Process identifier: 1652 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: TCP Port number: 6988 Allowed: No User notified: No
WinEvtLog: Security: AUDIT_FAILURE(861): Security: SYSTEM: NT AUTHORITY: MBP: The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\WINDOWS\system32\svchost.exe Process identifier: 1528 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: UDP Port number: 123 Allowed: No User notified: No
WinEvtLog: Security: AUDIT_FAILURE(861): Security: SYSTEM: NT AUTHORITY: MBP: The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\Program Files\IBM\Director\cimom\bin\wmicimserver.exe Process identifier: 2500 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: TCP Port number: 5989 Allowed: No User notified: No
WinEvtLog: Security: AUDIT_FAILURE(861): Security: SYSTEM: NT AUTHORITY: MBP: The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\Program Files\Snare\SnareCore.exe Process identifier: 1340 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: UDP Port number: 1037 Allowed: No User notified: No
WinEvtLog: Security: AUDIT_FAILURE(861): Security: SYSTEM: NT AUTHORITY: MBP: The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\Program Files\Snare\SnareCore.exe Process identifier: 1340 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: TCP Port number: 6161 Allowed: No User notified: No
WinEvtLog: Security: AUDIT_FAILURE(861): Security: SYSTEM: NT AUTHORITY: MBP: The Windows Firewall has detected an application listening for incoming traffic. Name: - Path: C:\WINDOWS\system32\lsass.exe Process identifier: 1104 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: No IP version: IPv4 IP protocol: UDP Port number: 4500 Allowed: No User notified: No
Thank you for your help with this!
Carl Hill
McClinton, Rick
Note that in the Logtest output below, you're getting 'hostname: localhost' because of the way you're playing a windows log entry into the unix server. When the entries are sent by the windows agent, hostname will be the name given to the agent as seen in list_agents -a.
HTH
Rick
Thank you Daniel,
Carl
This message contains TMA Resources confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.