X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=etc%2Frules%2Fmsauth_rules.xml;h=51ed17b303904f31eac36492fbb1729f8111cb94;hp=fcfcf2ca2d0195564e2ae9208ed201f076886885;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b
diff --git a/etc/rules/msauth_rules.xml b/etc/rules/msauth_rules.xml
old mode 100755
new mode 100644
index fcfcf2c..51ed17b
--- a/etc/rules/msauth_rules.xml
+++ b/etc/rules/msauth_rules.xml
@@ -123,7 +123,7 @@
18104
^640$
General account database changed.
- http://www.ultimatewindowssecurity.com/events/com259.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=640
adduser,account_changed,
@@ -202,9 +202,9 @@
18106
- ^529$
+ ^529$|^4625$
Logon Failure - Unknown user or bad password.
- http://www.ultimatewindowssecurity.com/events/com190.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
win_authentication_failed,
@@ -213,7 +213,7 @@
^530$
Logon Failure - Account logon time restriction
violation.
- http://www.ultimatewindowssecurity.com/events/com191.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=530
win_authentication_failed,login_denied,
@@ -221,7 +221,7 @@
18106
^531$
Logon Failure - Account currently disabled.
- http://www.ultimatewindowssecurity.com/events/com192.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=531
win_authentication_failed,login_denied,
@@ -229,7 +229,7 @@
18106
^532$
Logon Failure - Specified account expired.
- http://www.ultimatewindowssecurity.com/events/com193.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=532
win_authentication_failed,login_denied,
@@ -238,7 +238,7 @@
^533$
Logon Failure - User not allowed to login at
this computer.
- http://www.ultimatewindowssecurity.com/events/com194.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=533
win_authentication_failed,login_denied,
@@ -246,7 +246,7 @@
18106
^534$
Logon Failure - User not granted logon type.
- http://www.ultimatewindowssecurity.com/events/com195.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=534
win_authentication_failed,
@@ -254,7 +254,7 @@
18106
^535$
Logon Failure - Account's password expired.
- http://www.ultimatewindowssecurity.com/events/com196.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=535
win_authentication_failed,
@@ -267,7 +267,7 @@
18106
- ^539$|^4625$
+ ^539$
Logon Failure - Account locked out.
win_authentication_failed,
@@ -298,7 +298,7 @@
18104
^671$|^4767$
User account unlocked.
- http://www.ultimatewindowssecurity.com/events/com291.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767
account_changed,
@@ -499,7 +499,7 @@
18207,18208
- ID:\s+%{S-1-1-0}
+ ID:\s+%{S-1-1-0}| ID:\s+S-1-1-0
Everyone Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -507,7 +507,7 @@
18207,18208
- ID:\s+%{S-1-5-9}
+ ID:\s+%{S-1-5-9}| ID:\s+S-1-5-9
Enterprise Domain Controllers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -515,7 +515,7 @@
18207,18208
- ID:\s+%{S-1-5-11}
+ ID:\s+%{S-1-5-11}| ID:\s+S-1-5-11
Authenticated Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -523,7 +523,7 @@
18207,18208
- ID:\s+%{S-1-5-13}
+ ID:\s+%{S-1-5-13}| ID:\s+S-1-5-13
Terminal Server Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -531,7 +531,7 @@
18203,18204
- ID:\s+%{S-1-5-21\S+-512}
+ ID:\s+%{S-1-5-21\S+-512}| ID:\s+S-1-5-21\S+-512
Domain Admins Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -539,22 +539,22 @@
18203,18204
- ID:\s+%{S-1-5-21\S+-513}
+ ID:\s+%{S-1-5-21\S+-513}| ID:\s+S-1-5-21\S+-513
Domain Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
-
- 18223,18203
- Target Account Name: None
- Local User Group NONE
- Bogus group user added to upon creation
-
+
+ 18223,18203
+ Target Account Name: None
+ Local User Group NONE
+ Bogus group user added to upon creation
+
18203,18204
- ID:\s+%{S-1-5-21\S+-514}
+ ID:\s+%{S-1-5-21\S+-514}| ID:\s+S-1-5-21\S+-514
Domain Guests Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -562,7 +562,7 @@
18203,18204
- ID:\s+%{S-1-5-21\S+-515}
+ ID:\s+%{S-1-5-21\S+-515}| ID:\s+S-1-5-21\S+-515
Domain Computers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -570,7 +570,7 @@
18203,18204
- ID:\s+%{S-1-5-21\S+-516}
+ ID:\s+%{S-1-5-21\S+-516}| ID:\s+S-1-5-21\S+-516
Domain Controllers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -578,7 +578,7 @@
18207,18208
- ID:\s+%{S-1-5-21\S+-517}
+ ID:\s+%{S-1-5-21\S+-517}| ID:\s+S-1-5-21\S+-517
Cert Publishers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -586,7 +586,7 @@
18203,18204
- ID:\s+%{S-1-5-21\.+-518}
+ ID:\s+%{S-1-5-21\.+-518}| ID:\s+S-1-5-21\.+-518
Schema Admins Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -594,7 +594,7 @@
18203,18204
- ID:\s+%{S-1-5-21\S+-519}
+ ID:\s+%{S-1-5-21\S+-519}| ID:\s+S-1-5-21\S+-519
Enterprise Admins Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -602,7 +602,7 @@
18203,18204
- ID:\s+%{S-1-5-21\S+-520}
+ ID:\s+%{S-1-5-21\S+-520}| ID:\s+S-1-5-21\S+-520
Group Policy Creator Owners Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -610,7 +610,7 @@
18207,18208
- \w* ID:\s+%{S-1-5-21\S+-553}
+ ID:\s+%{S-1-5-21\S+-553}| ID:\s+S-1-5-21\S+-553
RAS and IAS Servers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -618,7 +618,7 @@
18207,18208
- ID:\s+%{S-1-5-32-545}
+ ID:\s+%{S-1-5-32-545}| ID:\s+S-1-5-32-545
Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -626,7 +626,7 @@
18207,18208
- ID:\s+%{S-1-5-32-546}
+ ID:\s+%{S-1-5-32-546}| ID:\s+S-1-5-32-546
Guests Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -634,7 +634,7 @@
18207,18208
- ID:\s+%{S-1-5-32-547}
+ ID:\s+%{S-1-5-32-547}| ID:\s+S-1-5-32-547
Power Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -642,7 +642,7 @@
18207,18208
- ID:\s+%{S-1-5-32-548}
+ ID:\s+%{S-1-5-32-548}| ID:\s+S-1-5-32-548
Account Operators Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -650,7 +650,7 @@
18207,18208
- ID:\s+%{S-1-5-32-549}
+ ID:\s+%{S-1-5-32-549}| ID:\s+S-1-5-32-549
Server Operators Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -658,7 +658,7 @@
18207,18208
- \w* ID:\s+%{S-1-5-32-550}
+ ID:\s+%{S-1-5-32-550}| ID:\s+S-1-5-32-550
Print Operators Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -666,7 +666,7 @@
18207,18208
- ID:\s+%{S-1-5-32-551}
+ ID:\s+%{S-1-5-32-551}| ID:\s+S-1-5-32-551
Backup Operators Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -674,7 +674,7 @@
18207,18208
- ID:\s+%{S-1-5-32-552}
+ ID:\s+%{S-1-5-32-552}| ID:\s+S-1-5-32-552
Replicators Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -682,7 +682,7 @@
18207,18208
- ID:\s+%{S-1-5-32-554}
+ ID:\s+%{S-1-5-32-554}| ID:\s+S-1-5-32-554
Pre-Windows 2000 Compatible Access Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -690,7 +690,7 @@
18207,18208
- ID:\s+%{S-1-5-32-555}
+ ID:\s+%{S-1-5-32-555}| ID:\s+S-1-5-32-555
Remote Desktop Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -698,7 +698,7 @@
18207,18208
- ID:\s+%{S-1-5-32-556}
+ ID:\s+%{S-1-5-32-556}| ID:\s+S-1-5-32-556
Network Configuration Operators Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -706,7 +706,7 @@
18207,18208
- ID:\s+%{S-1-5-32-557}
+ ID:\s+%{S-1-5-32-557}| ID:\s+S-1-5-32-557
Incoming Forest Trust Builders Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -714,7 +714,7 @@
18207,18208
- ID:\s+%{S-1-5-32-558}
+ ID:\s+%{S-1-5-32-558}| ID:\s+S-1-5-32-558
Performance Monitor Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -722,7 +722,7 @@
18207,18208
- ID:\s+%{S-1-5-32-559}
+ ID:\s+%{S-1-5-32-559}| ID:\s+S-1-5-32-559
Performance Log Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -730,7 +730,7 @@
18207,18208
- ID:\s+%{S-1-5-32-560}
+ ID:\s+%{S-1-5-32-560}| ID:\s+S-1-5-32-560
Windows Authorization Access Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -738,7 +738,7 @@
18207,18208
- ID:\s+%{S-1-5-32-561}
+ ID:\s+%{S-1-5-32-561}| ID:\s+S-1-5-32-561
Terminal Server License Servers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -746,7 +746,7 @@
18207,18208
- ID:\s+%{S-1-5-32-562}
+ ID:\s+%{S-1-5-32-562}| ID:\s+S-1-5-32-562
Distributed COM Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -754,7 +754,7 @@
18207,18208
- ID:\s+%{S-1-5-\s*21\.+\s*-498}
+ ID:\s+%{S-1-5-\s*21\.+\s*-498}| ID:\s+S-1-5-\s*21\.+\s*-498
Enterprise Read-only Domain Controllers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -762,7 +762,7 @@
18207,18208
- ID:\s+%{S-1-5-\s*21\.+\s*-529}
+ ID:\s+%{S-1-5-\s*21\.+\s*-529}| ID:\s+S-1-5-\s*21\.+\s*-529
Read-only Domain Controllers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -770,7 +770,7 @@
18207,18208
- ID:\s+%{S-1-5-32-569}
+ ID:\s+%{S-1-5-32-569}| ID:\s+S-1-5-32-569
Cryptographic Operators Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -778,7 +778,7 @@
18207,18208
- ID:\s+%{S-1-5-\s*21\.+\s*-571}
+ ID:\s+%{S-1-5-\s*21\.+\s*-571}| ID:\s+S-1-5-\s*21\.+\s*-571
Allowed RODC Password Replication Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -786,7 +786,7 @@
18207,18208
- ID:\s+%{S-1-5-\s*21\.+\s*-572}
+ ID:\s+%{S-1-5-\s*21\.+\s*-572}| ID:\s+S-1-5-\s*21\.+\s*-572
Denied RODC Password Replication Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -794,7 +794,7 @@
18207,18208
- ID:\s+%{S-1-5-32-573}
+ ID:\s+%{S-1-5-32-573}| ID:\s+S-1-5-32-573
Event Log Readers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -802,11 +802,34 @@
18207,18208
- ID:\s+%{S-1-5-32-574}
+ ID:\s+%{S-1-5-32-574}| ID:\s+S-1-5-32-574
Certificate Service DCOM Access Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
+
+
+ 18101
+ ^200$|^300$|^302$
+ TS Gateway login success.
+ authentication_success,
+ https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx
+
+
+
+ 18102, 18103
+ ^201$|^203$|^204$|^301$|^304$|^305$|^306$|^1001$
+ TS Gateway login failure.
+ authentication_failed,
+ https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx
+
+
+
+ 18101
+ ^202$|^303$
+ TS Gateway user disconnected.
+ https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx
+
win_authentication_failed,attacks,
@@ -833,7 +856,7 @@
18139
Failure Code: 0x22
Windows DC - Possible replay attack.
- http://www.ultimatewindowssecurity.com/kerberrors.html
+
win_authentication_failed,attacks,
@@ -841,7 +864,7 @@
18139
Failure Code: 0x25
Windows DC - Clock skew too great.
- http://www.ultimatewindowssecurity.com/kerberrors.html
+
win_authentication_failed,attacks,
@@ -861,6 +884,20 @@
authentication_success,
+
+
+ 18107
+ ^4624$
+ Logon Type: 8
+ MS Exchange Logon Success.
+
+
+
+ 18149
+ ^4634$
+ Logon Type: 8
+ User Logoff Exchange.
+
@@ -897,6 +934,39 @@
Multiple remote access login failures.
authentication_failures,
+
+
+ 18258
+ Multiple TS Gateway login failures.
+ authentication_failures,
+
+
+
+
+ 18103
+ chromoting
+ : chromoting: \.* Access denied for client:
+ Chrome Remote Desktop attempt - access denied
+
+
+
+ 18101
+ chromoting
+ : chromoting: \.* Client connected:
+ Chrome Remote Desktop attempt - connected
+
+
+
+ 18101
+ chromoting
+ : chromoting: \.* Client disconnected:
+ Chrome Remote Desktop attempt - disconnected
+
+