[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] Re: Attack_rules ex: 40501 in large deployments
From: "dan (ddp)" <ddpbsd () gmail ! com>
Date: 2016-03-23 16:32:29
Message-ID: CAMyQvMrWyvoMpSmx0wsn9_D5T6oujkABTrp2oiRMh=S_3ex-MA () mail ! gmail ! com
[Download RAW message or body]
On Wed, Mar 23, 2016 at 12:23 PM, Dustin Lenz <dustin@netjitsu.net> wrote:
> Resurrecting this one from the dead. This rule is a problem for me. I am
> seeing many false positives (FP). Here is one such example:
>
> > > Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root
> > > 192.168.1.50 (192.168.1.50) 52209
> > >
> > > Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root
> > > 192.168.1.50 (192.168.1.50) 52209
> > >
> > > 2016 Mar 17 09:49:15 WinEvtLog: Security: AUDIT_SUCCESS(4722):
> > > Microsoft-Windows-Security-Auditing: (no user): no domain:
> > > WINDOWSHOST.domain-internal.com.internal: A user account was enabled.
> > > Subject: Security ID: S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX
> > > Account Name: username Account Domain: DOMAIN-INTERNAL Logon ID: 0x2xxXXXX
> > > Target Account: Security ID: S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX
> > > Account Name: VM01XXXX-XXXXXX$ Account Domain: DOMAIN-INTERNAL
>
>
> As you can see this is an obvious FP.
>
> Can someone weigh in here on how we can remediate these issues? Some days
> we see 100+ FP's.
>
Disable the rule?
I think you could set it to only alert if the logs have the same srcip
(not positive though).
> Thanks in advance,
>
> Dustin
>
> On Wednesday, November 16, 2011 at 9:52:38 AM UTC-8, Franky4fngrs wrote:
> >
> > Hello,
> >
> > I have an ossec deployment with a little over 700 agents
> > communicating. The issue I am having is that rules such as 40501
> > report a large number of false positives. There are a large number
> > of brute force attacks across the environment at any given time.
> > Whenever a legitimate user logs in the alert is triggered. I have not
> > seen an obvious (to me) way to modify the rules, or groups to address
> > this issue. Has anyone tackled this issue before?
> >
> > Thanks
> >
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic