X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=etc%2Frules%2Fmsauth_rules.xml;h=eda0490462ecfd4822e2cca218435486c0c0e25f;hb=c41c816a22f0e06f1c2b0a91563f3d9a3bcdb82a;hp=a82246519e876654c3e996c8c8f8e415186b5e9b;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git
diff --git a/etc/rules/msauth_rules.xml b/etc/rules/msauth_rules.xml
index a822465..eda0490 100755
--- a/etc/rules/msauth_rules.xml
+++ b/etc/rules/msauth_rules.xml
@@ -1,4 +1,5 @@
-
+ ^65xxx
Group account added/changed/deleted.
+ This rule has been deprecated
account_changed,
18103
- ^13570
+ ^13570$
Windows file system full.
low_diskspace,
@@ -196,93 +202,93 @@
18106
- ^529
+ ^529$
Logon Failure - Unknown user or bad password.
- http://www.ultimatewindowssecurity.com/events/com190.html
+ http://www.ultimatewindowssecurity.com/events/com190.html
win_authentication_failed,
18106
- ^530
+ ^530$
Logon Failure - Account logon time restriction
violation.
- http://www.ultimatewindowssecurity.com/events/com191.html
+ http://www.ultimatewindowssecurity.com/events/com191.html
win_authentication_failed,login_denied,
18106
- ^531
+ ^531$
Logon Failure - Account currently disabled.
- http://www.ultimatewindowssecurity.com/events/com192.html
+ http://www.ultimatewindowssecurity.com/events/com192.html
win_authentication_failed,login_denied,
18106
- ^532
+ ^532$
Logon Failure - Specified account expired.
- http://www.ultimatewindowssecurity.com/events/com193.html
+ http://www.ultimatewindowssecurity.com/events/com193.html
win_authentication_failed,login_denied,
18106
- ^533
+ ^533$
Logon Failure - User not allowed to login at
this computer.
- http://www.ultimatewindowssecurity.com/events/com194.html
+ http://www.ultimatewindowssecurity.com/events/com194.html
win_authentication_failed,login_denied,
18106
- ^534
+ ^534$
Logon Failure - User not granted logon type.
- http://www.ultimatewindowssecurity.com/events/com195.html
+ http://www.ultimatewindowssecurity.com/events/com195.html
win_authentication_failed,
18106
- ^535
+ ^535$
Logon Failure - Account's password expired.
- http://www.ultimatewindowssecurity.com/events/com196.html
+ http://www.ultimatewindowssecurity.com/events/com196.html
win_authentication_failed,
18106
- ^536|^537
+ ^536$|^537$
Logon Failure - Internal error.
win_authentication_failed,
18106
- ^539
+ ^539$
Logon Failure - Account locked out.
win_authentication_failed,
18105
- ^672|^673|^675|^676|^681|^4769
+ ^672$|^673$|^675$|^676$|^681$|^4769$
Windows DC Logon Failure.
win_authentication_failed,
-
+
18104
- ^520
+ ^520$
System time changed.
time_changed,
18102
- ^1076
+ ^1076$
unexpected shutdown
system_error, system_shutdown,
Unexpected Windows shutdown.
@@ -290,22 +296,22 @@
18104
- ^671|^4767
+ ^671$|^4767$
User account unlocked.
- http://www.ultimatewindowssecurity.com/events/com291.html
+ http://www.ultimatewindowssecurity.com/events/com291.html
account_changed,
18114
- ^631|^635|^658
+ ^631$|^635$|^658$
Security enabled group created.
adduser,account_changed,
18114
- ^634|^638|^662
+ ^634$|^638$|^662$
Security enabled group deleted.
adduser,account_changed,
@@ -313,45 +319,501 @@
18101
- ^7040
+ ^7040$
policy_changed,
Service startup type was changed.
- This does not appear to be logged on Windows 2000.
+ This does not appear to be logged on Windows 2000.
18101
- ^11724
+ ^11724$
alert_by_email
Application Uninstalled.
18101
- ^11707
+ ^11707$
alert_by_email
Application Installed.
18104
- ^4608
+ ^4608$
Windows is starting up.
18104
- ^538|^4634|^4647
+ ^538$|^4634$|^4647$
Windows User Logoff.
+
+
+
+ 18104
+ ^631$|^4727$|^635$|^4731$|^658$|^4754$|^648$|^4744$|^653$|^4749$|
+ ^663$|^4759$
+ Group Account Created
+ group_created,win_group_created,
+
+
+
+ 18104
+ ^634$|^4730$|^638$|^4734$|^662$|^4758$|^652$|^4748$|^657$|^4753$|
+ ^667$|^4763$
+ Group Account Deleted
+ group_deleted,win_group_deleted,
+
+
+
+ 18200
+ ^631$|^4727$
+ Security Enabled Global Group Created
+ group_created,win_group_created,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=631
+
+
+
+ 18114
+ ^632$|^4728$
+ Security Enabled Global Group Member Added
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=632
+
+
+
+ 18114
+ ^633$|^4729$
+ Security Enabled Global Group Member Removed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=633
+
+
+
+ 18201
+ ^634$|^4730$
+ Security Enabled Global Group Deleted
+ group_deleted,win_group_deleted,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=634
+
+
+
+ 18200
+ ^635$|^4731$
+ Security Enabled Local Group Created
+ group_created,win_group_created,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=635
+
+
+
+ 18114
+ ^636$|^4732$
+ Security Enabled Local Group Member Added
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=636
+
+
+
+ 18114
+ ^637$|^4733$
+ Security Enabled Local Group Member Removed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=637
+
+
+
+ 18201
+ ^638$|^4734$
+ Security Enabled Local Group Deleted
+ group_deleted,win_group_deleted,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=638
+
+
+
+ 18114
+ ^639$|^4735$
+ Security Enabled Local Group Changed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=639
+
+
+
+ 18114
+ ^641$|^4737$
+ Security Enabled Global Group Changed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=641
+
+
+
+ 18200
+ ^658$|^4754$
+ Security Enabled Universal Group Created
+ group_created,win_group_created,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=658
+
+
+
+ 18114
+ ^659$|^4755$
+ Security Enabled Universal Group Changed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=659
+
+
+
+ 18114
+ ^660$|^4756$
+ Security Enabled Universal Group Member Added
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=660
+
+
+
+ 18114
+ ^661$|^4757$
+ Security Enabled Universal Group Member Removed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=661
+
+
+
+ 18201
+ ^662$|^4758$
+ Security Enabled Universal Group Deleted
+ group_deleted,win_group_deleted,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=662
+
+
+
+ 18207,18208
+ ID:\s+\p*S-1-5-32-544
+ Administrators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-1-0}
+ Everyone Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-9}
+ Enterprise Domain Controllers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-11}
+ Authenticated Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-13}
+ Terminal Server Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-512}
+ Domain Admins Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-513}
+ Domain Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18223,18203
+ Target Account Name: None
+ Local User Group NONE
+ Bogus group user added to upon creation
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-514}
+ Domain Guests Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-515}
+ Domain Computers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-516}
+ Domain Controllers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-21\S+-517}
+ Cert Publishers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\.+-518}
+ Schema Admins Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-519}
+ Enterprise Admins Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-520}
+ Group Policy Creator Owners Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ \w* ID:\s+%{S-1-5-21\S+-553}
+ RAS and IAS Servers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-545}
+ Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-546}
+ Guests Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-547}
+ Power Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-548}
+ Account Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-549}
+ Server Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ \w* ID:\s+%{S-1-5-32-550}
+ Print Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-551}
+ Backup Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-552}
+ Replicators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-554}
+ Pre-Windows 2000 Compatible Access Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-555}
+ Remote Desktop Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-556}
+ Network Configuration Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-557}
+ Incoming Forest Trust Builders Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-558}
+ Performance Monitor Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-559}
+ Performance Log Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-560}
+ Windows Authorization Access Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-561}
+ Terminal Server License Servers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-562}
+ Distributed COM Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-\s*21\.+\s*-498}
+ Enterprise Read-only Domain Controllers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-\s*21\.+\s*-529}
+ Read-only Domain Controllers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-569}
+ Cryptographic Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-\s*21\.+\s*-571}
+ Allowed RODC Password Replication Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-\s*21\.+\s*-572}
+ Denied RODC Password Replication Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-573}
+ Event Log Readers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-574}
+ Certificate Service DCOM Access Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
18107,18149
- ^528|^538|^540
+ ^528$|^538$|^540$
^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON
Windows Logon Success (ignored).
@@ -363,7 +825,7 @@
Failure Code: 0x1F
Windows DC integrity check on decrypted
field failed.
- http://www.ultimatewindowssecurity.com/kerberrors.html
+ http://www.ultimatewindowssecurity.com/kerberrors.html
win_authentication_failed,attacks,
@@ -371,7 +833,7 @@
18139
Failure Code: 0x22
Windows DC - Possible replay attack.
- http://www.ultimatewindowssecurity.com/kerberrors.html
+ http://www.ultimatewindowssecurity.com/kerberrors.html
win_authentication_failed,attacks,
@@ -379,7 +841,7 @@
18139
Failure Code: 0x25
Windows DC - Clock skew too great.
- http://www.ultimatewindowssecurity.com/kerberrors.html
+ http://www.ultimatewindowssecurity.com/kerberrors.html
win_authentication_failed,attacks,
@@ -387,14 +849,14 @@
18105
- ^18456
+ ^18456$
win_authentication_failed,
MS SQL Server Logon Failure.
18104
- ^18454|^18453
+ ^18454$|^18453$
MS SQL Server Logon Success.
authentication_success,