'[ossec-list] msauth-rules.xml'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    [ossec-list] msauth-rules.xml
From:       shadejinx <shadejinx () gmail ! com>
Date:       2008-10-24 18:29:59
Message-ID: 9c57797e-d45b-4ee2-8a4b-8abd7f0c3dcf () u46g2000hsc ! googlegroups ! com
[Download RAW message or body]


In the most current msauth-rules.xml, eventid 680 is disabled, stating
that it is a duplicate.  Unfortunately that is not the case.  A failed
680 event is how a Windows 2003 Server AD controller denotes a failed
NTLM login.  A failed 672 is how it denotes failed Kerberos
connections.

These attempts will be most notable when a non-windows device attempts
authentication using NTLM.

As such, the default ruleset was missing many authentication failures
in my environment.  I wrote the following local-rules.xml to cover
this gap.  I also had to comment out rule 18121.

<group name="local,">
  <rule id="100000" level="0">
        <description>User created rules</description>
  </rule>

  <rule id="100006" level="5">
        <if_sid>18105</if_sid>
        <id>^680</id>
        <description>Windows NTLM Logon Failure.</description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100007" level="7">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC0000064</match>
        <description>Windows NTLM Logon Failure - Bad Username</
description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100008" level="5">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC000006A</match>
        <description>Windows NTLM Logon Failure - Bad Password</
description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100009" level="7">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC0000234</match>
        <description>Windows NTLM Logon Failure - Account Locked Out</
description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100010" level="7">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC0000072</match>
        <description>Windows NTLM Logon Failure - Account Disabled</
description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100011" level="5">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC000006F</match>
        <description>Windows NTLM Logon Failure - Account Time
Restriction</description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100012" level="5">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC0000070</match>
        <description>Windows NTLM Logon Failure - Account Workstation
Restriction</description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100013" level="5">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC0000193</match>
        <description>Windows NTLM Logon Failure - Account Expired</
description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100014" level="5">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC0000074</match>
        <description>Windows NTLM Logon Failure - Password Expired</
description>
        <group>win_authentication_failed,</group>
  </rule>

  <rule id="100015" level="5">
        <if_sid>100006</if_sid>
        <match>Error Code: 0xC0000224</match>
        <description>Windows NTLM Logon Failure - User Required To
Change Password</description>
        <group>win_authentication_failed,</group>
  </rule>

</group>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic