[logs] Re: RIF: Microsoft Event ID

From: Eric Fitzgerald (Eric.Fitzgerald@private)
Date: Mon Mar 20 2006 - 14:36:04 PST


Excellent.  As a side note, I provided material for and reviewed that
article :-)

 

________________________________

From: Salvati Amedeo [mailto:amedeo.salvati@private] 
Sent: Monday, March 20, 2006 2:32 PM
To: Eric Fitzgerald; James Turnbull
Cc: loganalysis@private
Subject: Re: RIF: Microsoft Event ID

 

hi,

thanks a lot for your help, if you are interested i have found some
technical guides who speak about my problem, one relevant of this for
correlate events are:

http://www.microsoft.com/technet/security/topics/auditingandmonitoring/s
ecuritymonitoring/smpgch04.mspx

who speak about some solutions

thanks for your time
Amedeo Salvati


-----Messaggio originale-----
Da:     Eric Fitzgerald [mailto:Eric.Fitzgerald@private]
Inviato:        lun 20/03/2006 20.59
A:      James Turnbull; Salvati Amedeo
Cc:     loganalysis@private
Oggetto:        RE: [logs] Re: RIF:  Microsoft Event ID
In general, there are very few time/count correlation patterns of
interest in the Windows security log.

Remember that the Windows security log is an audit trail, not an IDS
log.

Common Criteria calls out two patterns of interest, which we will
support in Vista:

1. Time/count threshold alerting for logon failures, to detect password
guessing attacks.

Drawing on operational experience here at Microsoft, I recommend that
your count threshold be 25 or higher for a duration of 1min or less, to
eliminate most false positive noise.  This is analogous to the account
lockout feature; a count of 25 will exceed any user's patience when they
forget their password, and you'll be left with mostly failures due to
misconfigured automation (wrong password stored in a script somewhere),
and perhaps an actual attack.  Anecdotally, the only time I've actually
seen a password guessing attack in a real live audit log, was a poorly
written password strength scanner.

2. Time/count thresholding for object access violations.

This is a new requirement in Common Criteria and although we're going to
support it, I haven't had a chance to observe it in actual operation.  I
suspect that in practice the typical object access failure pattern is
going to vary widely depending on the object and the applications which
use it.

Best regards,
Eric

Eric Fitzgerald
Program Manager, Windows Auditing
Microsoft Corporation
425-705-9601

-----Original Message-----
From: loganalysis-bounces+ericf=windows.microsoft.com@private
[mailto:loganalysis-bounces+ericf=windows.microsoft.com@private]
On Behalf Of James Turnbull
Sent: Thursday, March 16, 2006 4:34 PM
To: Salvati Amedeo
Cc: loganalysis@private
Subject: [logs] Re: RIF: Microsoft Event ID

Salvati Amedeo wrote:
> yes i have just visited either eventid.net and
ultimatewindowssecurity.com
> for filtering low important event from high, but now i want to setup
some
> correlation criteria,
> ex. 3 times one username try to enter onto one|plus hosts, and fails,
and
> then, the same username logon onto the same|other host.
>
> But my problem it's only know the main logs to monitor, ex. Top 10
event
> ID
>  
I don't know of any resource like that.  I think you would need to
experiment with test cases - like the example you provided and then
record the resulting log entries and build correlation rules from there.
> thanks for your time and for Nagios
> amedeo
>  
I didn't develop Nagios - it's developer is Ethan Galstad - I merely
wrote a book about it. :)

Regards

James Turnbull

--
James Turnbull <james@private>
---
Author of Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)

Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)
---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)


_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis







_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Mon Mar 20 2006 - 15:31:36 PST