X-Git-Url: http://ftp.carnet.hr/pub/carnet-debian/scm?a=blobdiff_plain;f=etc%2Frules%2Fmsauth_rules.xml;h=51ed17b303904f31eac36492fbb1729f8111cb94;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hp=a82246519e876654c3e996c8c8f8e415186b5e9b;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a;p=ossec-hids.git
diff --git a/etc/rules/msauth_rules.xml b/etc/rules/msauth_rules.xml
old mode 100755
new mode 100644
index a822465..51ed17b
--- a/etc/rules/msauth_rules.xml
+++ b/etc/rules/msauth_rules.xml
@@ -1,4 +1,5 @@
-
+ ^65xxx
Group account added/changed/deleted.
+ This rule has been deprecated
account_changed,
18103
- ^13570
+ ^13570$
Windows file system full.
low_diskspace,
@@ -196,93 +202,93 @@
18106
- ^529
+ ^529$|^4625$
Logon Failure - Unknown user or bad password.
- http://www.ultimatewindowssecurity.com/events/com190.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
win_authentication_failed,
18106
- ^530
+ ^530$
Logon Failure - Account logon time restriction
violation.
- http://www.ultimatewindowssecurity.com/events/com191.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=530
win_authentication_failed,login_denied,
18106
- ^531
+ ^531$
Logon Failure - Account currently disabled.
- http://www.ultimatewindowssecurity.com/events/com192.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=531
win_authentication_failed,login_denied,
18106
- ^532
+ ^532$
Logon Failure - Specified account expired.
- http://www.ultimatewindowssecurity.com/events/com193.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=532
win_authentication_failed,login_denied,
18106
- ^533
+ ^533$
Logon Failure - User not allowed to login at
this computer.
- http://www.ultimatewindowssecurity.com/events/com194.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=533
win_authentication_failed,login_denied,
18106
- ^534
+ ^534$
Logon Failure - User not granted logon type.
- http://www.ultimatewindowssecurity.com/events/com195.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=534
win_authentication_failed,
18106
- ^535
+ ^535$
Logon Failure - Account's password expired.
- http://www.ultimatewindowssecurity.com/events/com196.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=535
win_authentication_failed,
18106
- ^536|^537
+ ^536$|^537$
Logon Failure - Internal error.
win_authentication_failed,
18106
- ^539
+ ^539$
Logon Failure - Account locked out.
win_authentication_failed,
18105
- ^672|^673|^675|^676|^681|^4769
+ ^673$|^675$|^681$|^4769$
Windows DC Logon Failure.
win_authentication_failed,
-
+
18104
- ^520
+ ^520$|^4616$
System time changed.
time_changed,
18102
- ^1076
+ ^1076$
unexpected shutdown
system_error, system_shutdown,
Unexpected Windows shutdown.
@@ -290,22 +296,22 @@
18104
- ^671|^4767
+ ^671$|^4767$
User account unlocked.
- http://www.ultimatewindowssecurity.com/events/com291.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767
account_changed,
18114
- ^631|^635|^658
+ ^631$|^635$|^658$
Security enabled group created.
adduser,account_changed,
18114
- ^634|^638|^662
+ ^634$|^638$|^662$
Security enabled group deleted.
adduser,account_changed,
@@ -313,45 +319,524 @@
18101
- ^7040
+ ^7040$
policy_changed,
Service startup type was changed.
- This does not appear to be logged on Windows 2000.
+ This does not appear to be logged on Windows 2000.
18101
- ^11724
+ ^11724$
alert_by_email
Application Uninstalled.
18101
- ^11707
+ ^11707$
alert_by_email
Application Installed.
18104
- ^4608
+ ^4608$
Windows is starting up.
18104
- ^538|^4634|^4647
+ ^538$|^551$|^4634$|^4647$
Windows User Logoff.
+
+
+
+ 18104
+ ^631$|^4727$|^635$|^4731$|^658$|^4754$|^648$|^4744$|^653$|^4749$|
+ ^663$|^4759$
+ Group Account Created
+ group_created,win_group_created,
+
+
+
+ 18104
+ ^634$|^4730$|^638$|^4734$|^662$|^4758$|^652$|^4748$|^657$|^4753$|
+ ^667$|^4763$
+ Group Account Deleted
+ group_deleted,win_group_deleted,
+
+
+
+ 18200
+ ^631$|^4727$
+ Security Enabled Global Group Created
+ group_created,win_group_created,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=631
+
+
+
+ 18114
+ ^632$|^4728$
+ Security Enabled Global Group Member Added
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=632
+
+
+
+ 18114
+ ^633$|^4729$
+ Security Enabled Global Group Member Removed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=633
+
+
+
+ 18201
+ ^634$|^4730$
+ Security Enabled Global Group Deleted
+ group_deleted,win_group_deleted,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=634
+
+
+
+ 18200
+ ^635$|^4731$
+ Security Enabled Local Group Created
+ group_created,win_group_created,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=635
+
+
+
+ 18114
+ ^636$|^4732$
+ Security Enabled Local Group Member Added
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=636
+
+
+
+ 18114
+ ^637$|^4733$
+ Security Enabled Local Group Member Removed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=637
+
+
+
+ 18201
+ ^638$|^4734$
+ Security Enabled Local Group Deleted
+ group_deleted,win_group_deleted,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=638
+
+
+
+ 18114
+ ^639$|^4735$
+ Security Enabled Local Group Changed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=639
+
+
+
+ 18114
+ ^641$|^4737$
+ Security Enabled Global Group Changed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=641
+
+
+
+ 18200
+ ^658$|^4754$
+ Security Enabled Universal Group Created
+ group_created,win_group_created,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=658
+
+
+
+ 18114
+ ^659$|^4755$
+ Security Enabled Universal Group Changed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=659
+
+
+
+ 18114
+ ^660$|^4756$
+ Security Enabled Universal Group Member Added
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=660
+
+
+
+ 18114
+ ^661$|^4757$
+ Security Enabled Universal Group Member Removed
+ group_changed,win_group_changed,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=661
+
+
+
+ 18201
+ ^662$|^4758$
+ Security Enabled Universal Group Deleted
+ group_deleted,win_group_deleted,
+ http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=662
+
+
+
+ 18207,18208
+ ID:\s+\p*S-1-5-32-544
+ Administrators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-1-0}| ID:\s+S-1-1-0
+ Everyone Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-9}| ID:\s+S-1-5-9
+ Enterprise Domain Controllers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-11}| ID:\s+S-1-5-11
+ Authenticated Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-13}| ID:\s+S-1-5-13
+ Terminal Server Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-512}| ID:\s+S-1-5-21\S+-512
+ Domain Admins Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-513}| ID:\s+S-1-5-21\S+-513
+ Domain Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18223,18203
+ Target Account Name: None
+ Local User Group NONE
+ Bogus group user added to upon creation
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-514}| ID:\s+S-1-5-21\S+-514
+ Domain Guests Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-515}| ID:\s+S-1-5-21\S+-515
+ Domain Computers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-516}| ID:\s+S-1-5-21\S+-516
+ Domain Controllers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-21\S+-517}| ID:\s+S-1-5-21\S+-517
+ Cert Publishers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\.+-518}| ID:\s+S-1-5-21\.+-518
+ Schema Admins Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-519}| ID:\s+S-1-5-21\S+-519
+ Enterprise Admins Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18203,18204
+ ID:\s+%{S-1-5-21\S+-520}| ID:\s+S-1-5-21\S+-520
+ Group Policy Creator Owners Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-21\S+-553}| ID:\s+S-1-5-21\S+-553
+ RAS and IAS Servers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-545}| ID:\s+S-1-5-32-545
+ Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-546}| ID:\s+S-1-5-32-546
+ Guests Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-547}| ID:\s+S-1-5-32-547
+ Power Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-548}| ID:\s+S-1-5-32-548
+ Account Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-549}| ID:\s+S-1-5-32-549
+ Server Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-550}| ID:\s+S-1-5-32-550
+ Print Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-551}| ID:\s+S-1-5-32-551
+ Backup Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-552}| ID:\s+S-1-5-32-552
+ Replicators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-554}| ID:\s+S-1-5-32-554
+ Pre-Windows 2000 Compatible Access Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-555}| ID:\s+S-1-5-32-555
+ Remote Desktop Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-556}| ID:\s+S-1-5-32-556
+ Network Configuration Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-557}| ID:\s+S-1-5-32-557
+ Incoming Forest Trust Builders Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-558}| ID:\s+S-1-5-32-558
+ Performance Monitor Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-559}| ID:\s+S-1-5-32-559
+ Performance Log Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-560}| ID:\s+S-1-5-32-560
+ Windows Authorization Access Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-561}| ID:\s+S-1-5-32-561
+ Terminal Server License Servers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-562}| ID:\s+S-1-5-32-562
+ Distributed COM Users Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-\s*21\.+\s*-498}| ID:\s+S-1-5-\s*21\.+\s*-498
+ Enterprise Read-only Domain Controllers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-\s*21\.+\s*-529}| ID:\s+S-1-5-\s*21\.+\s*-529
+ Read-only Domain Controllers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-569}| ID:\s+S-1-5-32-569
+ Cryptographic Operators Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-\s*21\.+\s*-571}| ID:\s+S-1-5-\s*21\.+\s*-571
+ Allowed RODC Password Replication Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-\s*21\.+\s*-572}| ID:\s+S-1-5-\s*21\.+\s*-572
+ Denied RODC Password Replication Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-573}| ID:\s+S-1-5-32-573
+ Event Log Readers Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18207,18208
+ ID:\s+%{S-1-5-32-574}| ID:\s+S-1-5-32-574
+ Certificate Service DCOM Access Group Changed
+ group_changed,win_group_changed,
+ http://support.microsoft.com/kb/243330
+
+
+
+ 18101
+ ^200$|^300$|^302$
+ TS Gateway login success.
+ authentication_success,
+ https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx
+
+
+
+ 18102, 18103
+ ^201$|^203$|^204$|^301$|^304$|^305$|^306$|^1001$
+ TS Gateway login failure.
+ authentication_failed,
+ https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx
+
+
+
+ 18101
+ ^202$|^303$
+ TS Gateway user disconnected.
+ https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx
+
18107,18149
- ^528|^538|^540
+ ^528$|^538$|^540$|^4624$
^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON
Windows Logon Success (ignored).
@@ -363,7 +848,7 @@
Failure Code: 0x1F
Windows DC integrity check on decrypted
field failed.
- http://www.ultimatewindowssecurity.com/kerberrors.html
+
win_authentication_failed,attacks,
@@ -371,7 +856,7 @@
18139
Failure Code: 0x22
Windows DC - Possible replay attack.
- http://www.ultimatewindowssecurity.com/kerberrors.html
+
win_authentication_failed,attacks,
@@ -379,7 +864,7 @@
18139
Failure Code: 0x25
Windows DC - Clock skew too great.
- http://www.ultimatewindowssecurity.com/kerberrors.html
+
win_authentication_failed,attacks,
@@ -387,18 +872,32 @@
18105
- ^18456
+ ^18456$
win_authentication_failed,
MS SQL Server Logon Failure.
18104
- ^18454|^18453
+ ^18454$|^18453$
MS SQL Server Logon Success.
authentication_success,
+
+
+ 18107
+ ^4624$
+ Logon Type: 8
+ MS Exchange Logon Success.
+
+
+
+ 18149
+ ^4634$
+ Logon Type: 8
+ User Logoff Exchange.
+
@@ -435,6 +934,39 @@
Multiple remote access login failures.
authentication_failures,
+
+
+ 18258
+ Multiple TS Gateway login failures.
+ authentication_failures,
+
+
+
+
+ 18103
+ chromoting
+ : chromoting: \.* Access denied for client:
+ Chrome Remote Desktop attempt - access denied
+
+
+
+ 18101
+ chromoting
+ : chromoting: \.* Client connected:
+ Chrome Remote Desktop attempt - connected
+
+
+
+ 18101
+ chromoting
+ : chromoting: \.* Client disconnected:
+ Chrome Remote Desktop attempt - disconnected
+
+