X-Git-Url: http://ftp.carnet.hr/pub/carnet-debian/scm?a=blobdiff_plain;f=etc%2Frules%2Fmsauth_rules.xml;h=51ed17b303904f31eac36492fbb1729f8111cb94;hb=refs%2Ftags%2Fdebian%2F3.3.0-1;hp=eda0490462ecfd4822e2cca218435486c0c0e25f;hpb=6ef2f786c6c8ead94841b5f93baf9f43421f08c8;p=ossec-hids.git
diff --git a/etc/rules/msauth_rules.xml b/etc/rules/msauth_rules.xml
old mode 100755
new mode 100644
index eda0490..51ed17b
--- a/etc/rules/msauth_rules.xml
+++ b/etc/rules/msauth_rules.xml
@@ -62,27 +62,27 @@
18104
- ^528$|^540$|^672$|^673$|^4624$|^4769$
+ ^528$|^540$|^673$|^4624$|^4769$
Windows Logon Success.
authentication_success,
18105
- ^577$
+ ^577$|^4673$
Failed attempt to perform a privileged
operation.
18104
- ^682$|^683$
+ ^682$|^683$|^4778$|^4779$
Session reconnected/disconnected to winstation.
18104
- ^624$|^626$|^645$|^4720$|^4722$|^4741$
+ ^624$|^626$|^4720$|^4722$
User account enabled or created.
adduser,account_changed,
@@ -103,7 +103,7 @@
18104
- ^612$|^643$|^4719$|^4907$|^4912$
+ ^612$|^643$|^4719$|^4907$|^4912$|^4719$
Windows Audit Policy changed.
policy_changed,
@@ -123,7 +123,7 @@
18104
^640$
General account database changed.
- http://www.ultimatewindowssecurity.com/events/com259.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=640
adduser,account_changed,
@@ -143,7 +143,7 @@
18104
- ^517$
+ ^517$|^1102$
Windows audit log was cleared.
logs_cleared,
@@ -176,10 +176,10 @@
authentication_success,
-
+
18104
- ^646$|^647$
- Computer account changed/deleted.
+ ^646$|^645$|^647$|^4741$|^4742$|^4743$
+ Computer account added/changed/deleted.
account_changed,
@@ -202,9 +202,9 @@
18106
- ^529$
+ ^529$|^4625$
Logon Failure - Unknown user or bad password.
- http://www.ultimatewindowssecurity.com/events/com190.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
win_authentication_failed,
@@ -213,7 +213,7 @@
^530$
Logon Failure - Account logon time restriction
violation.
- http://www.ultimatewindowssecurity.com/events/com191.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=530
win_authentication_failed,login_denied,
@@ -221,7 +221,7 @@
18106
^531$
Logon Failure - Account currently disabled.
- http://www.ultimatewindowssecurity.com/events/com192.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=531
win_authentication_failed,login_denied,
@@ -229,7 +229,7 @@
18106
^532$
Logon Failure - Specified account expired.
- http://www.ultimatewindowssecurity.com/events/com193.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=532
win_authentication_failed,login_denied,
@@ -238,7 +238,7 @@
^533$
Logon Failure - User not allowed to login at
this computer.
- http://www.ultimatewindowssecurity.com/events/com194.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=533
win_authentication_failed,login_denied,
@@ -246,7 +246,7 @@
18106
^534$
Logon Failure - User not granted logon type.
- http://www.ultimatewindowssecurity.com/events/com195.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=534
win_authentication_failed,
@@ -254,7 +254,7 @@
18106
^535$
Logon Failure - Account's password expired.
- http://www.ultimatewindowssecurity.com/events/com196.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=535
win_authentication_failed,
@@ -274,14 +274,14 @@
18105
- ^672$|^673$|^675$|^676$|^681$|^4769$
+ ^673$|^675$|^681$|^4769$
Windows DC Logon Failure.
win_authentication_failed,
18104
- ^520$
+ ^520$|^4616$
System time changed.
time_changed,
@@ -298,7 +298,7 @@
18104
^671$|^4767$
User account unlocked.
- http://www.ultimatewindowssecurity.com/events/com291.html
+ https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767
account_changed,
@@ -347,7 +347,7 @@
18104
- ^538$|^4634$|^4647$
+ ^538$|^551$|^4634$|^4647$
Windows User Logoff.
@@ -499,7 +499,7 @@
18207,18208
- ID:\s+%{S-1-1-0}
+ ID:\s+%{S-1-1-0}| ID:\s+S-1-1-0
Everyone Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -507,7 +507,7 @@
18207,18208
- ID:\s+%{S-1-5-9}
+ ID:\s+%{S-1-5-9}| ID:\s+S-1-5-9
Enterprise Domain Controllers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -515,7 +515,7 @@
18207,18208
- ID:\s+%{S-1-5-11}
+ ID:\s+%{S-1-5-11}| ID:\s+S-1-5-11
Authenticated Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -523,7 +523,7 @@
18207,18208
- ID:\s+%{S-1-5-13}
+ ID:\s+%{S-1-5-13}| ID:\s+S-1-5-13
Terminal Server Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -531,7 +531,7 @@
18203,18204
- ID:\s+%{S-1-5-21\S+-512}
+ ID:\s+%{S-1-5-21\S+-512}| ID:\s+S-1-5-21\S+-512
Domain Admins Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -539,22 +539,22 @@
18203,18204
- ID:\s+%{S-1-5-21\S+-513}
+ ID:\s+%{S-1-5-21\S+-513}| ID:\s+S-1-5-21\S+-513
Domain Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
-
- 18223,18203
- Target Account Name: None
- Local User Group NONE
- Bogus group user added to upon creation
-
+
+ 18223,18203
+ Target Account Name: None
+ Local User Group NONE
+ Bogus group user added to upon creation
+
18203,18204
- ID:\s+%{S-1-5-21\S+-514}
+ ID:\s+%{S-1-5-21\S+-514}| ID:\s+S-1-5-21\S+-514
Domain Guests Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -562,7 +562,7 @@
18203,18204
- ID:\s+%{S-1-5-21\S+-515}
+ ID:\s+%{S-1-5-21\S+-515}| ID:\s+S-1-5-21\S+-515
Domain Computers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -570,7 +570,7 @@
18203,18204
- ID:\s+%{S-1-5-21\S+-516}
+ ID:\s+%{S-1-5-21\S+-516}| ID:\s+S-1-5-21\S+-516
Domain Controllers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -578,7 +578,7 @@
18207,18208
- ID:\s+%{S-1-5-21\S+-517}
+ ID:\s+%{S-1-5-21\S+-517}| ID:\s+S-1-5-21\S+-517
Cert Publishers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -586,7 +586,7 @@
18203,18204
- ID:\s+%{S-1-5-21\.+-518}
+ ID:\s+%{S-1-5-21\.+-518}| ID:\s+S-1-5-21\.+-518
Schema Admins Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -594,7 +594,7 @@
18203,18204
- ID:\s+%{S-1-5-21\S+-519}
+ ID:\s+%{S-1-5-21\S+-519}| ID:\s+S-1-5-21\S+-519
Enterprise Admins Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -602,7 +602,7 @@
18203,18204
- ID:\s+%{S-1-5-21\S+-520}
+ ID:\s+%{S-1-5-21\S+-520}| ID:\s+S-1-5-21\S+-520
Group Policy Creator Owners Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -610,7 +610,7 @@
18207,18208
- \w* ID:\s+%{S-1-5-21\S+-553}
+ ID:\s+%{S-1-5-21\S+-553}| ID:\s+S-1-5-21\S+-553
RAS and IAS Servers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -618,7 +618,7 @@
18207,18208
- ID:\s+%{S-1-5-32-545}
+ ID:\s+%{S-1-5-32-545}| ID:\s+S-1-5-32-545
Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -626,7 +626,7 @@
18207,18208
- ID:\s+%{S-1-5-32-546}
+ ID:\s+%{S-1-5-32-546}| ID:\s+S-1-5-32-546
Guests Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -634,7 +634,7 @@
18207,18208
- ID:\s+%{S-1-5-32-547}
+ ID:\s+%{S-1-5-32-547}| ID:\s+S-1-5-32-547
Power Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -642,7 +642,7 @@
18207,18208
- ID:\s+%{S-1-5-32-548}
+ ID:\s+%{S-1-5-32-548}| ID:\s+S-1-5-32-548
Account Operators Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -650,7 +650,7 @@
18207,18208
- ID:\s+%{S-1-5-32-549}
+ ID:\s+%{S-1-5-32-549}| ID:\s+S-1-5-32-549
Server Operators Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -658,7 +658,7 @@
18207,18208
- \w* ID:\s+%{S-1-5-32-550}
+ ID:\s+%{S-1-5-32-550}| ID:\s+S-1-5-32-550
Print Operators Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -666,7 +666,7 @@
18207,18208
- ID:\s+%{S-1-5-32-551}
+ ID:\s+%{S-1-5-32-551}| ID:\s+S-1-5-32-551
Backup Operators Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -674,7 +674,7 @@
18207,18208
- ID:\s+%{S-1-5-32-552}
+ ID:\s+%{S-1-5-32-552}| ID:\s+S-1-5-32-552
Replicators Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -682,7 +682,7 @@
18207,18208
- ID:\s+%{S-1-5-32-554}
+ ID:\s+%{S-1-5-32-554}| ID:\s+S-1-5-32-554
Pre-Windows 2000 Compatible Access Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -690,7 +690,7 @@
18207,18208
- ID:\s+%{S-1-5-32-555}
+ ID:\s+%{S-1-5-32-555}| ID:\s+S-1-5-32-555
Remote Desktop Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -698,7 +698,7 @@
18207,18208
- ID:\s+%{S-1-5-32-556}
+ ID:\s+%{S-1-5-32-556}| ID:\s+S-1-5-32-556
Network Configuration Operators Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -706,7 +706,7 @@
18207,18208
- ID:\s+%{S-1-5-32-557}
+ ID:\s+%{S-1-5-32-557}| ID:\s+S-1-5-32-557
Incoming Forest Trust Builders Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -714,7 +714,7 @@
18207,18208
- ID:\s+%{S-1-5-32-558}
+ ID:\s+%{S-1-5-32-558}| ID:\s+S-1-5-32-558
Performance Monitor Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -722,7 +722,7 @@
18207,18208
- ID:\s+%{S-1-5-32-559}
+ ID:\s+%{S-1-5-32-559}| ID:\s+S-1-5-32-559
Performance Log Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -730,7 +730,7 @@
18207,18208
- ID:\s+%{S-1-5-32-560}
+ ID:\s+%{S-1-5-32-560}| ID:\s+S-1-5-32-560
Windows Authorization Access Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -738,7 +738,7 @@
18207,18208
- ID:\s+%{S-1-5-32-561}
+ ID:\s+%{S-1-5-32-561}| ID:\s+S-1-5-32-561
Terminal Server License Servers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -746,7 +746,7 @@
18207,18208
- ID:\s+%{S-1-5-32-562}
+ ID:\s+%{S-1-5-32-562}| ID:\s+S-1-5-32-562
Distributed COM Users Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -754,7 +754,7 @@
18207,18208
- ID:\s+%{S-1-5-\s*21\.+\s*-498}
+ ID:\s+%{S-1-5-\s*21\.+\s*-498}| ID:\s+S-1-5-\s*21\.+\s*-498
Enterprise Read-only Domain Controllers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -762,7 +762,7 @@
18207,18208
- ID:\s+%{S-1-5-\s*21\.+\s*-529}
+ ID:\s+%{S-1-5-\s*21\.+\s*-529}| ID:\s+S-1-5-\s*21\.+\s*-529
Read-only Domain Controllers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -770,7 +770,7 @@
18207,18208
- ID:\s+%{S-1-5-32-569}
+ ID:\s+%{S-1-5-32-569}| ID:\s+S-1-5-32-569
Cryptographic Operators Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -778,7 +778,7 @@
18207,18208
- ID:\s+%{S-1-5-\s*21\.+\s*-571}
+ ID:\s+%{S-1-5-\s*21\.+\s*-571}| ID:\s+S-1-5-\s*21\.+\s*-571
Allowed RODC Password Replication Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -786,7 +786,7 @@
18207,18208
- ID:\s+%{S-1-5-\s*21\.+\s*-572}
+ ID:\s+%{S-1-5-\s*21\.+\s*-572}| ID:\s+S-1-5-\s*21\.+\s*-572
Denied RODC Password Replication Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -794,7 +794,7 @@
18207,18208
- ID:\s+%{S-1-5-32-573}
+ ID:\s+%{S-1-5-32-573}| ID:\s+S-1-5-32-573
Event Log Readers Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
@@ -802,18 +802,41 @@
18207,18208
- ID:\s+%{S-1-5-32-574}
+ ID:\s+%{S-1-5-32-574}| ID:\s+S-1-5-32-574
Certificate Service DCOM Access Group Changed
group_changed,win_group_changed,
http://support.microsoft.com/kb/243330
+
+
+ 18101
+ ^200$|^300$|^302$
+ TS Gateway login success.
+ authentication_success,
+ https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx
+
+
+
+ 18102, 18103
+ ^201$|^203$|^204$|^301$|^304$|^305$|^306$|^1001$
+ TS Gateway login failure.
+ authentication_failed,
+ https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx
+
+
+
+ 18101
+ ^202$|^303$
+ TS Gateway user disconnected.
+ https://technet.microsoft.com/en-us/library/cc775181(v=ws.10).aspx
+
18107,18149
- ^528$|^538$|^540$
+ ^528$|^538$|^540$|^4624$
^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON
Windows Logon Success (ignored).
@@ -825,7 +848,7 @@
Failure Code: 0x1F
Windows DC integrity check on decrypted
field failed.
- http://www.ultimatewindowssecurity.com/kerberrors.html
+
win_authentication_failed,attacks,
@@ -833,7 +856,7 @@
18139
Failure Code: 0x22
Windows DC - Possible replay attack.
- http://www.ultimatewindowssecurity.com/kerberrors.html
+
win_authentication_failed,attacks,
@@ -841,7 +864,7 @@
18139
Failure Code: 0x25
Windows DC - Clock skew too great.
- http://www.ultimatewindowssecurity.com/kerberrors.html
+
win_authentication_failed,attacks,
@@ -861,6 +884,20 @@
authentication_success,
+
+
+ 18107
+ ^4624$
+ Logon Type: 8
+ MS Exchange Logon Success.
+
+
+
+ 18149
+ ^4634$
+ Logon Type: 8
+ User Logoff Exchange.
+
@@ -897,6 +934,39 @@
Multiple remote access login failures.
authentication_failures,
+
+
+ 18258
+ Multiple TS Gateway login failures.
+ authentication_failures,
+
+
+
+
+ 18103
+ chromoting
+ : chromoting: \.* Access denied for client:
+ Chrome Remote Desktop attempt - access denied
+
+
+
+ 18101
+ chromoting
+ : chromoting: \.* Client connected:
+ Chrome Remote Desktop attempt - connected
+
+
+
+ 18101
+ chromoting
+ : chromoting: \.* Client disconnected:
+ Chrome Remote Desktop attempt - disconnected
+
+