1 <!-- @(#) $Id: msauth_rules.xml,v 1.35 2009/11/06 15:30:30 dcid Exp $
2 - Example of Microsoft Windows (2000, XP, 2003) rules for OSSEC.
4 - Copyright (C) 2009 Trend Micro Inc.
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 3) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
16 <var name="MS_FREQ">6</var>
18 <group name="windows,">
19 <rule id="18100" level="0">
20 <category>windows</category>
21 <description>Group of windows rules.</description>
24 <rule id="18101" level="0">
25 <if_sid>18100</if_sid>
26 <status>^INFORMATION</status>
27 <description>Windows informational event.</description>
30 <rule id="18102" level="0">
31 <if_sid>18100</if_sid>
32 <status>^WARNING</status>
33 <description>Windows warning event.</description>
36 <rule id="18103" level="5">
37 <if_sid>18100</if_sid>
38 <status>^ERROR</status>
39 <description>Windows error event.</description>
40 <group>system_error,</group>
43 <rule id="18104" level="0">
44 <if_sid>18100</if_sid>
45 <status>^AUDIT_SUCCESS|^success</status>
46 <description>Windows audit success event.</description>
49 <rule id="18105" level="4">
50 <if_sid>18100</if_sid>
51 <status>^AUDIT_FAILURE|^failure</status>
52 <description>Windows audit failure event.</description>
55 <rule id="18106" level="5">
56 <if_sid>18105</if_sid>
57 <id>^529|^530|^531|^532|^533|^534|^535|^536|^537|^539|^4625</id>
58 <description>Windows Logon Failure.</description>
59 <group>win_authentication_failed,</group>
62 <rule id="18107" level="3">
63 <if_sid>18104</if_sid>
64 <id>^528|^540|^672|^673|^4624|^4769</id>
65 <description>Windows Logon Success.</description>
66 <group>authentication_success,</group>
69 <rule id="18108" level="4">
70 <if_sid>18105</if_sid>
72 <description>Failed attempt to perform a privileged </description>
73 <description>operation.</description>
76 <rule id="18109" level="3">
77 <if_sid>18104</if_sid>
79 <description>Session reconnected/disconnected to winstation.</description>
82 <rule id="18110" level="8">
83 <if_sid>18104</if_sid>
84 <id>^624|^626|^645|^4720|^4722</id>
85 <description>User account enabled or created.</description>
86 <group>adduser,account_changed,</group>
89 <rule id="18111" level="8">
90 <if_sid>18104</if_sid>
91 <id>^628|^642|^685|^4738|^4781</id>
92 <description>User account changed.</description>
93 <group>account_changed,</group>
96 <rule id="18112" level="8">
97 <if_sid>18104</if_sid>
98 <id>^630|^629|^4725|^4726</id>
99 <description>User account disabled or deleted.</description>
100 <group>adduser,account_changed,</group>
103 <rule id="18113" level="8">
104 <if_sid>18104</if_sid>
105 <id>^612|^643|^4719|^4907|^4912</id>
106 <description>Windows Audit Policy changed.</description>
107 <group>policy_changed,</group>
110 <rule id="18114" level="8">
111 <if_sid>18104</if_sid>
112 <id>^63|^641|^664|^658|^659|^660|^662|^668|^4907</id>
113 <description>Group account changed.</description>
114 <group>adduser,account_changed,</group>
117 <rule id="18115" level="8">
118 <if_sid>18104</if_sid>
120 <description>General account database changed.</description>
121 <info>http://www.ultimatewindowssecurity.com/events/com259.html</info>
122 <group>adduser,account_changed,</group>
125 <rule id="18116" level="9">
126 <if_sid>18104</if_sid>
128 <description>User account locked out (multiple login errors).</description>
129 <group>authentication_failures,</group>
132 <rule id="18117" level="7">
133 <if_sid>18104</if_sid>
135 <description>Windows is shutting down.</description>
136 <group>system_shutdown,</group>
139 <rule id="18118" level="9">
140 <if_sid>18104</if_sid>
142 <description>Windows audit log was cleared.</description>
143 <group>logs_cleared,</group>
146 <rule id="18119" level="3">
147 <if_sid>18107</if_sid>
148 <options>alert_by_email</options>
150 <description>First time this user logged in this system.</description>
151 <group>authentication_success,</group>
154 <rule id="18120" level="0">
155 <if_sid>18105</if_sid>
157 <description>Windows login attempt (ignored). Duplicated.</description>
160 <rule id="18125" level="5">
161 <if_sid>18102, 18103</if_sid>
162 <id>^20187|^20014|^20078|^20050|^20049|^20189</id>
163 <description>Remote access login failure.</description>
164 <group>authentication_failed,</group>
167 <rule id="18126" level="3">
168 <if_sid>18101</if_sid>
170 <description>Remote access login success.</description>
171 <group>authentication_success,</group>
174 <rule id="18127" level="8">
175 <if_sid>18104</if_sid>
177 <description>Computer account changed/deleted.</description>
178 <group>account_changed,</group>
181 <rule id="18128" level="8">
182 <if_sid>18104</if_sid>
184 <description>Group account added/changed/deleted.</description>
185 <group>account_changed,</group>
188 <rule id="18129" level="8">
189 <if_sid>18103</if_sid>
191 <description>Windows file system full.</description>
192 <group>low_diskspace,</group>
196 <!-- Granular windows login rules -->
197 <rule id="18130" level="5">
198 <if_sid>18106</if_sid>
200 <description>Logon Failure - Unknown user or bad password.</description>
201 <info>http://www.ultimatewindowssecurity.com/events/com190.html</info>
202 <group>win_authentication_failed,</group>
205 <rule id="18131" level="5">
206 <if_sid>18106</if_sid>
208 <description>Logon Failure - Account logon time restriction </description>
209 <description>violation.</description>
210 <info>http://www.ultimatewindowssecurity.com/events/com191.html</info>
211 <group>win_authentication_failed,login_denied,</group>
214 <rule id="18132" level="5">
215 <if_sid>18106</if_sid>
217 <description>Logon Failure - Account currently disabled.</description>
218 <info>http://www.ultimatewindowssecurity.com/events/com192.html</info>
219 <group>win_authentication_failed,login_denied,</group>
222 <rule id="18133" level="5">
223 <if_sid>18106</if_sid>
225 <description>Logon Failure - Specified account expired.</description>
226 <info>http://www.ultimatewindowssecurity.com/events/com193.html</info>
227 <group>win_authentication_failed,login_denied,</group>
230 <rule id="18134" level="7">
231 <if_sid>18106</if_sid>
233 <description>Logon Failure - User not allowed to login at </description>
234 <description>this computer.</description>
235 <info>http://www.ultimatewindowssecurity.com/events/com194.html</info>
236 <group>win_authentication_failed,login_denied,</group>
239 <rule id="18135" level="5">
240 <if_sid>18106</if_sid>
242 <description>Logon Failure - User not granted logon type.</description>
243 <info>http://www.ultimatewindowssecurity.com/events/com195.html</info>
244 <group>win_authentication_failed,</group>
247 <rule id="18136" level="5">
248 <if_sid>18106</if_sid>
250 <description>Logon Failure - Account's password expired.</description>
251 <info>http://www.ultimatewindowssecurity.com/events/com196.html</info>
252 <group>win_authentication_failed,</group>
255 <rule id="18137" level="5">
256 <if_sid>18106</if_sid>
258 <description>Logon Failure - Internal error.</description>
259 <group>win_authentication_failed,</group>
262 <rule id="18138" level="7">
263 <if_sid>18106</if_sid>
265 <description>Logon Failure - Account locked out.</description>
266 <group>win_authentication_failed,</group>
269 <rule id="18139" level="5">
270 <if_sid>18105</if_sid>
271 <id>^672|^673|^675|^676|^681|^4769</id>
272 <description>Windows DC Logon Failure.</description>
273 <group>win_authentication_failed,</group>
276 <rule id="18140" level="7">
277 <if_sid>18104</if_sid>
279 <description>System time changed.</description>
280 <group>time_changed,</group>
283 <rule id="18141" level="7">
284 <if_sid>18102</if_sid>
286 <match>unexpected shutdown</match>
287 <group>system_error, system_shutdown,</group>
288 <description>Unexpected Windows shutdown.</description>
291 <rule id="18142" level="5">
292 <if_sid>18104</if_sid>
294 <description>User account unlocked.</description>
295 <info>http://www.ultimatewindowssecurity.com/events/com291.html</info>
296 <group>account_changed,</group>
299 <rule id="18143" level="8">
300 <if_sid>18114</if_sid>
301 <id>^631|^635|^658</id>
302 <description>Security enabled group created.</description>
303 <group>adduser,account_changed,</group>
306 <rule id="18144" level="8">
307 <if_sid>18114</if_sid>
308 <id>^634|^638|^662</id>
309 <description>Security enabled group deleted.</description>
310 <group>adduser,account_changed,</group>
313 <!-- Some services change their startup type automatically -->
314 <rule id="18145" level="3">
315 <if_sid>18101</if_sid>
317 <group>policy_changed,</group>
318 <description>Service startup type was changed.</description>
319 <info>This does not appear to be logged on Windows 2000.</info>
322 <rule id="18146" level="5">
323 <if_sid>18101</if_sid>
325 <options>alert_by_email</options>
326 <description>Application Uninstalled.</description>
329 <rule id="18147" level="5">
330 <if_sid>18101</if_sid>
332 <options>alert_by_email</options>
333 <description>Application Installed.</description>
336 <rule id="18148" level="3">
337 <if_sid>18104</if_sid>
339 <description>Windows is starting up.</description>
342 <rule id="18149" level="3">
343 <if_sid>18104</if_sid>
344 <id>^538|^4634|^4647</id>
345 <description>Windows User Logoff.</description>
349 <!-- Ignore Login events, type 5, from Advapi for:
350 - LOCAL SERVICE and NETWORK SERVICE.
352 <rule id="18121" level="0">
353 <if_sid>18107,18149</if_sid>
354 <id>^528|^538|^540</id>
355 <user>^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON</user>
356 <description>Windows Logon Success (ignored).</description>
360 <!-- Kerberos failures that may indicate an attack -->
361 <rule id="18170" level="10">
362 <if_sid>18139</if_sid>
363 <match>Failure Code: 0x1F</match>
364 <description>Windows DC integrity check on decrypted </description>
365 <description>field failed.</description>
366 <info>http://www.ultimatewindowssecurity.com/kerberrors.html</info>
367 <group>win_authentication_failed,attacks,</group>
370 <rule id="18171" level="10">
371 <if_sid>18139</if_sid>
372 <match>Failure Code: 0x22</match>
373 <description>Windows DC - Possible replay attack.</description>
374 <info>http://www.ultimatewindowssecurity.com/kerberrors.html</info>
375 <group>win_authentication_failed,attacks,</group>
378 <rule id="18172" level="7">
379 <if_sid>18139</if_sid>
380 <match>Failure Code: 0x25</match>
381 <description>Windows DC - Clock skew too great.</description>
382 <info>http://www.ultimatewindowssecurity.com/kerberrors.html</info>
383 <group>win_authentication_failed,attacks,</group>
387 <!-- MS SQL rules -->
388 <rule id="18180" level="5">
389 <if_sid>18105</if_sid>
391 <group>win_authentication_failed,</group>
392 <description>MS SQL Server Logon Failure.</description>
395 <rule id="18181" level="3">
396 <if_sid>18104</if_sid>
397 <id>^18454|^18453</id>
398 <description>MS SQL Server Logon Success.</description>
399 <group>authentication_success,</group>
404 <!-- Composite rules -->
405 <rule id="18151" level="10" frequency="$MS_FREQ" timeframe="240">
406 <if_matched_sid>18108</if_matched_sid>
408 <description>Multiple failed attempts to perform a </description>
409 <description>privileged operation by the same user.</description>
412 <rule id="18152" level="10" frequency="$MS_FREQ" timeframe="240">
413 <if_matched_group>win_authentication_failed</if_matched_group>
414 <description>Multiple Windows Logon Failures.</description>
415 <group>authentication_failures,</group>
418 <rule id="18153" level="10" frequency="$MS_FREQ" timeframe="240">
419 <if_matched_sid>18105</if_matched_sid>
420 <description>Multiple Windows audit failure events.</description>
423 <rule id="18154" level="10" frequency="$MS_FREQ" timeframe="240">
424 <if_matched_sid>18103</if_matched_sid>
425 <description>Multiple Windows error events.</description>
428 <rule id="18155" level="10" frequency="$MS_FREQ" timeframe="120">
429 <if_matched_sid>18102</if_matched_sid>
430 <description>Multiple Windows warning events.</description>
433 <rule id="18156" level="10" frequency="$MS_FREQ" timeframe="240">
434 <if_matched_sid>18125</if_matched_sid>
435 <description>Multiple remote access login failures.</description>
436 <group>authentication_failures,</group>