X-Git-Url: http://ftp.carnet.hr/pub/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=etc%2Frules%2Fmsauth_rules.xml;fp=etc%2Frules%2Fmsauth_rules.xml;h=432c3847278aa50313c84c3d53571dd5c5b3c6d9;hb=301048b51990573e58a30dc4a5bb4ec285cad554;hp=a82246519e876654c3e996c8c8f8e415186b5e9b;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git
diff --git a/etc/rules/msauth_rules.xml b/etc/rules/msauth_rules.xml
index a822465..432c384 100755
--- a/etc/rules/msauth_rules.xml
+++ b/etc/rules/msauth_rules.xml
@@ -1,4 +1,4 @@
-
+ ^65xxx
Group account added/changed/deleted.
+ This rule has been deprecated
account_changed,
@@ -198,7 +203,7 @@
18106
^529
Logon Failure - Unknown user or bad password.
- http://www.ultimatewindowssecurity.com/events/com190.html
+ http://www.ultimatewindowssecurity.com/events/com190.html
win_authentication_failed,
@@ -207,7 +212,7 @@
^530
Logon Failure - Account logon time restriction
violation.
- http://www.ultimatewindowssecurity.com/events/com191.html
+ http://www.ultimatewindowssecurity.com/events/com191.html
win_authentication_failed,login_denied,
@@ -215,7 +220,7 @@
18106
^531
Logon Failure - Account currently disabled.
- http://www.ultimatewindowssecurity.com/events/com192.html
+ http://www.ultimatewindowssecurity.com/events/com192.html
win_authentication_failed,login_denied,
@@ -223,7 +228,7 @@
18106
^532
Logon Failure - Specified account expired.
- http://www.ultimatewindowssecurity.com/events/com193.html
+ http://www.ultimatewindowssecurity.com/events/com193.html
win_authentication_failed,login_denied,
@@ -232,7 +237,7 @@
^533
Logon Failure - User not allowed to login at
this computer.
- http://www.ultimatewindowssecurity.com/events/com194.html
+ http://www.ultimatewindowssecurity.com/events/com194.html
win_authentication_failed,login_denied,
@@ -240,7 +245,7 @@
18106
^534
Logon Failure - User not granted logon type.
- http://www.ultimatewindowssecurity.com/events/com195.html
+ http://www.ultimatewindowssecurity.com/events/com195.html
win_authentication_failed,
@@ -248,7 +253,7 @@
18106
^535
Logon Failure - Account's password expired.
- http://www.ultimatewindowssecurity.com/events/com196.html
+ http://www.ultimatewindowssecurity.com/events/com196.html
win_authentication_failed,
@@ -292,7 +297,7 @@
18104
^671|^4767
User account unlocked.
- http://www.ultimatewindowssecurity.com/events/com291.html
+ http://www.ultimatewindowssecurity.com/events/com291.html
account_changed,
@@ -316,7 +321,7 @@
^7040
policy_changed,
Service startup type was changed.
- This does not appear to be logged on Windows 2000.
+ This does not appear to be logged on Windows 2000.
@@ -345,6 +350,462 @@
Windows User Logoff.
+
+
+
+ 18104
+ ^631$|^4727$|^635$|^4731$|^658$|^4754$|^648$|^4744$|^653$|^4749$|
+ ^663$|^4759$
+ Group Account Created
+ group_created,win_group_created,
+
+
+
+ 18104
+ ^634$|^4730$|^638$|^4734$|^662$|^4758$|^652$|^4748$|^657$|^4753$|
+ ^667$|^4763$
+ Group Account Deleted
+ group_deleted,win_group_deleted,
+
+
+
+ 18200
+ ^631$|^4727$
+ Security Enabled Global Group Created
+ group_created,win_group_created,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=631
+
+
+
+ 18114
+ ^632$|^4728$
+ Security Enabled Global Group Member Added
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=632
+
+
+
+ 18114
+ ^633$|^4729$
+ Security Enabled Global Group Member Removed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=633
+
+
+
+ 18201
+ ^634$|^4730$
+ Security Enabled Global Group Deleted
+ group_deleted,win_group_deleted,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=634
+
+
+
+ 18200
+ ^635$|^4731$
+ Security Enabled Local Group Created
+ group_created,win_group_created,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=635
+
+
+
+ 18114
+ ^636$|^4732$
+ Security Enabled Local Group Member Added
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=636
+
+
+
+ 18114
+ ^637$|^4733$
+ Security Enabled Local Group Member Removed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=637
+
+
+
+ 18201
+ ^638$|^4734$
+ Security Enabled Local Group Deleted
+ group_deleted,win_group_deleted,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=638
+
+
+
+ 18114
+ ^639$|^4735$
+ Security Enabled Local Group Changed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=639
+
+
+
+ 18114
+ ^641$|^4737$
+ Security Enabled Global Group Changed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=641
+
+
+
+ 18200
+ ^658$|^4754$
+ Security Enabled Universal Group Created
+ group_created,win_group_created,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=658
+
+
+
+ 18114
+ ^659$|^4755$
+ Security Enabled Universal Group Changed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=659
+
+
+
+ 18114
+ ^660$|^4756$
+ Security Enabled Universal Group Member Added
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=660
+
+
+
+ 18114
+ ^661$|^4757$
+ Security Enabled Universal Group Member Removed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=661
+
+
+
+ 18201
+ ^662$|^4758$
+ Security Enabled Universal Group Deleted
+ group_deleted,win_group_deleted,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=662
+
+
+
+ 18207,18208
+ ID:\s+\p*S-1-5-32-544\p*
+ Administrators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-1-0}
+ Everyone Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-9}
+ Enterprise Domain Controllers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-11}
+ Authenticated Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-13}
+ Terminal Server Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-512}
+ Domain Admins Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-513}
+ Domain Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18223,18203
+ Target Account Name: None
+ Local User Group NONE
+ Bogus group user added to upon creation
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-514}
+ Domain Guests Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-515}
+ Domain Computers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-516}
+ Domain Controllers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-21\S+-517}
+ Cert Publishers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\.+-518}
+ Schema Admins Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-519}
+ Enterprise Admins Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-520}
+ Group Policy Creator Owners Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ \w* ID:\s+%{S-1-5-21\S+-553}
+ RAS and IAS Servers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-545}
+ Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-546}
+ Guests Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-547}
+ Power Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-548}
+ Account Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-549}
+ Server Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ \w* ID:\s+%{S-1-5-32-550}
+ Print Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-551}
+ Backup Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-552}
+ Replicators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-554}
+ Pre-Windows 2000 Compatible Access Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-555}
+ Remote Desktop Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-556}
+ Network Configuration Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-557}
+ Incoming Forest Trust Builders Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-558}
+ Performance Monitor Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-559}
+ Performance Log Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-560}
+ Windows Authorization Access Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-561}
+ Terminal Server License Servers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-562}
+ Distributed COM Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-\s*21\.+\s*-498}
+ Enterprise Read-only Domain Controllers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-\s*21\.+\s*-529}
+ Read-only Domain Controllers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-569}
+ Cryptographic Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-\s*21\.+\s*-571}
+ Allowed RODC Password Replication Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-\s*21\.+\s*-572}
+ Denied RODC Password Replication Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-573}
+ Event Log Readers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-574}
+ Certificate Service DCOM Access Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+