[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Windows rules

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Windows rules
From: Amedeo Salvati <amedeo.salvati@xxxxxxxxxx>
Date: Tue, 08 Aug 2006 10:10:46 +0200
Content-transfer-encoding: 7bit


Hi Daniel,

recently i saw that on windows rules:

 <rule id="8006" level="5">
   <if_sid>8005</if_sid>
   <id>^529|^530|^531|^532|^533|^534|^535|^536|^537|^539</id>
   <group>authentication_failed</group>
   <description>Windows Logon Failure.</description>
 </rule>

there aren't 681 code for authentication failed code on MS win 2000 DCand 680 authentication success|failed code for authentication via NTLMon MS win 2003 DC


Please refer to:
http://www.ultimatewindowssecurity.com/events/com304.html

and:
http://www.ultimatewindowssecurity.com/ntlmerrors.html

don't forget that on windows 2003 DC 680 code is logged either forsucces and failed authentication!



Hope it helps
amedeo

Follow-Ups:
- [ossec-list] Re: Windows rules
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: ossec 0.9
Next by Date: [ossec-list] OSSEC SLASHDOTED :)
Previous by thread: [ossec-list] Re: Can IP ranges be put in the whitelist
Next by thread: [ossec-list] Re: Windows rules
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.