[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] msauth-rules.xml
From: shadejinx <shadejinx () gmail ! com>
Date: 2008-10-24 18:29:59
Message-ID: 9c57797e-d45b-4ee2-8a4b-8abd7f0c3dcf () u46g2000hsc ! googlegroups ! com
[Download RAW message or body]
In the most current msauth-rules.xml, eventid 680 is disabled, stating
that it is a duplicate. Unfortunately that is not the case. A failed
680 event is how a Windows 2003 Server AD controller denotes a failed
NTLM login. A failed 672 is how it denotes failed Kerberos
connections.
These attempts will be most notable when a non-windows device attempts
authentication using NTLM.
As such, the default ruleset was missing many authentication failures
in my environment. I wrote the following local-rules.xml to cover
this gap. I also had to comment out rule 18121.
<group name="local,">
<rule id="100000" level="0">
<description>User created rules</description>
</rule>
<rule id="100006" level="5">
<if_sid>18105</if_sid>
<id>^680</id>
<description>Windows NTLM Logon Failure.</description>
<group>win_authentication_failed,</group>
</rule>
<rule id="100007" level="7">
<if_sid>100006</if_sid>
<match>Error Code: 0xC0000064</match>
<description>Windows NTLM Logon Failure - Bad Username</
description>
<group>win_authentication_failed,</group>
</rule>
<rule id="100008" level="5">
<if_sid>100006</if_sid>
<match>Error Code: 0xC000006A</match>
<description>Windows NTLM Logon Failure - Bad Password</
description>
<group>win_authentication_failed,</group>
</rule>
<rule id="100009" level="7">
<if_sid>100006</if_sid>
<match>Error Code: 0xC0000234</match>
<description>Windows NTLM Logon Failure - Account Locked Out</
description>
<group>win_authentication_failed,</group>
</rule>
<rule id="100010" level="7">
<if_sid>100006</if_sid>
<match>Error Code: 0xC0000072</match>
<description>Windows NTLM Logon Failure - Account Disabled</
description>
<group>win_authentication_failed,</group>
</rule>
<rule id="100011" level="5">
<if_sid>100006</if_sid>
<match>Error Code: 0xC000006F</match>
<description>Windows NTLM Logon Failure - Account Time
Restriction</description>
<group>win_authentication_failed,</group>
</rule>
<rule id="100012" level="5">
<if_sid>100006</if_sid>
<match>Error Code: 0xC0000070</match>
<description>Windows NTLM Logon Failure - Account Workstation
Restriction</description>
<group>win_authentication_failed,</group>
</rule>
<rule id="100013" level="5">
<if_sid>100006</if_sid>
<match>Error Code: 0xC0000193</match>
<description>Windows NTLM Logon Failure - Account Expired</
description>
<group>win_authentication_failed,</group>
</rule>
<rule id="100014" level="5">
<if_sid>100006</if_sid>
<match>Error Code: 0xC0000074</match>
<description>Windows NTLM Logon Failure - Password Expired</
description>
<group>win_authentication_failed,</group>
</rule>
<rule id="100015" level="5">
<if_sid>100006</if_sid>
<match>Error Code: 0xC0000224</match>
<description>Windows NTLM Logon Failure - User Required To
Change Password</description>
<group>win_authentication_failed,</group>
</rule>
</group>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic