[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    Re: [ossec-list] Re: Attack_rules ex: 40501 in large deployments
From:       "dan (ddp)" <ddpbsd () gmail ! com>
Date:       2016-03-23 16:32:29
Message-ID: CAMyQvMrWyvoMpSmx0wsn9_D5T6oujkABTrp2oiRMh=S_3ex-MA () mail ! gmail ! com
[Download RAW message or body]

On Wed, Mar 23, 2016 at 12:23 PM, Dustin Lenz <dustin@netjitsu.net> wrote:
> Resurrecting this one from the dead.  This rule is a problem for me. I am
> seeing many false positives (FP).  Here is one such example:
> 
> > > Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root
> > > 192.168.1.50 (192.168.1.50) 52209
> > > 
> > > Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root
> > > 192.168.1.50 (192.168.1.50) 52209
> > > 
> > > 2016 Mar 17 09:49:15 WinEvtLog: Security: AUDIT_SUCCESS(4722):
> > > Microsoft-Windows-Security-Auditing: (no user): no domain:
> > > WINDOWSHOST.domain-internal.com.internal: A user account was enabled.
> > > Subject: Security ID: S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX
> > > Account Name: username Account Domain: DOMAIN-INTERNAL Logon ID: 0x2xxXXXX
> > > Target Account: Security ID: S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX
> > > Account Name: VM01XXXX-XXXXXX$ Account Domain: DOMAIN-INTERNAL
> 
> 
> As you can see this is an obvious FP.
> 
> Can someone weigh in here on how we can remediate these issues?  Some days
> we see 100+ FP's.
> 

Disable the rule?
I think you could set it to only alert if the logs have the same srcip
(not positive though).

> Thanks in advance,
> 
> Dustin
> 
> On Wednesday, November 16, 2011 at 9:52:38 AM UTC-8, Franky4fngrs wrote:
> > 
> > Hello,
> > 
> > I have an ossec deployment with a little over 700 agents
> > communicating.  The issue I am having is that rules such as 40501
> > report a large number of false positives.   There are a large number
> > of brute force attacks across the environment at any given time.
> > Whenever a legitimate user logs in the alert is triggered.  I have not
> > seen an obvious (to me) way to modify the rules, or groups to address
> > this issue. Has anyone tackled this issue before?
> > 
> > Thanks
> > 
> --
> 
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]