hi, thanks a lot for your help, if you are interested i have found some technical guides who speak about my problem, one relevant of this for correlate events are: http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/smpgch04.mspx who speak about some solutions thanks for your time Amedeo Salvati -----Messaggio originale----- Da: Eric Fitzgerald [mailto:Eric.Fitzgerald@private] Inviato: lun 20/03/2006 20.59 A: James Turnbull; Salvati Amedeo Cc: loganalysis@private Oggetto: RE: [logs] Re: RIF: Microsoft Event ID In general, there are very few time/count correlation patterns of interest in the Windows security log. Remember that the Windows security log is an audit trail, not an IDS log. Common Criteria calls out two patterns of interest, which we will support in Vista: 1. Time/count threshold alerting for logon failures, to detect password guessing attacks. Drawing on operational experience here at Microsoft, I recommend that your count threshold be 25 or higher for a duration of 1min or less, to eliminate most false positive noise. This is analogous to the account lockout feature; a count of 25 will exceed any user's patience when they forget their password, and you'll be left with mostly failures due to misconfigured automation (wrong password stored in a script somewhere), and perhaps an actual attack. Anecdotally, the only time I've actually seen a password guessing attack in a real live audit log, was a poorly written password strength scanner. 2. Time/count thresholding for object access violations. This is a new requirement in Common Criteria and although we're going to support it, I haven't had a chance to observe it in actual operation. I suspect that in practice the typical object access failure pattern is going to vary widely depending on the object and the applications which use it. Best regards, Eric Eric Fitzgerald Program Manager, Windows Auditing Microsoft Corporation 425-705-9601 -----Original Message----- From: loganalysis-bounces+ericf=windows.microsoft.com@private [mailto:loganalysis-bounces+ericf=windows.microsoft.com@private] On Behalf Of James Turnbull Sent: Thursday, March 16, 2006 4:34 PM To: Salvati Amedeo Cc: loganalysis@private Subject: [logs] Re: RIF: Microsoft Event ID Salvati Amedeo wrote: > yes i have just visited either eventid.net and ultimatewindowssecurity.com > for filtering low important event from high, but now i want to setup some > correlation criteria, > ex. 3 times one username try to enter onto one|plus hosts, and fails, and > then, the same username logon onto the same|other host. > > But my problem it's only know the main logs to monitor, ex. Top 10 event > ID > I don't know of any resource like that. I think you would need to experiment with test cases - like the example you provided and then record the resulting log entries and build correlation rules from there. > thanks for your time and for Nagios > amedeo > I didn't develop Nagios - it's developer is Ethan Galstad - I merely wrote a book about it. :) Regards James Turnbull -- James Turnbull <james@private> --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/1590594444/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40) _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Mon Mar 20 2006 - 15:30:35 PST