Skip to content

Commit

Permalink
Merge pull request #1675 from ddpbsd/windows_rules
Browse files Browse the repository at this point in the history 
Update info links in Windows rules
  • Loading branch information
@atomicturtle
atomicturtle authored Feb 26, 2019
2 parents 2a96601 + d7394ab commit dcb922c
Showing 1 changed file with 12 additions and 12 deletions.
24 changes: 12 additions & 12 deletions etc/rules/msauth_rules.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@
<if_sid>18104</if_sid>
<id>^640$</id>
<description>General account database changed.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com259.html</info>
<info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=640</info>
<group>adduser,account_changed,</group>
</rule>

Expand Down Expand Up @@ -204,7 +204,7 @@
<if_sid>18106</if_sid>
<id>^529$|^4625$</id>
<description>Logon Failure - Unknown user or bad password.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com190.html</info>
<info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625</info>
<group>win_authentication_failed,</group>
</rule>

Expand All @@ -213,23 +213,23 @@
<id>^530$</id>
<description>Logon Failure - Account logon time restriction </description>
<description>violation.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com191.html</info>
<info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=530</info>
<group>win_authentication_failed,login_denied,</group>
</rule>

<rule id="18132" level="5">
<if_sid>18106</if_sid>
<id>^531$</id>
<description>Logon Failure - Account currently disabled.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com192.html</info>
<info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=531</info>
<group>win_authentication_failed,login_denied,</group>
</rule>

<rule id="18133" level="5">
<if_sid>18106</if_sid>
<id>^532$</id>
<description>Logon Failure - Specified account expired.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com193.html</info>
<info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=532</info>
<group>win_authentication_failed,login_denied,</group>
</rule>

Expand All @@ -238,23 +238,23 @@
<id>^533$</id>
<description>Logon Failure - User not allowed to login at </description>
<description>this computer.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com194.html</info>
<info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=533</info>
<group>win_authentication_failed,login_denied,</group>
</rule>

<rule id="18135" level="5">
<if_sid>18106</if_sid>
<id>^534$</id>
<description>Logon Failure - User not granted logon type.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com195.html</info>
<info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=534</info>
<group>win_authentication_failed,</group>
</rule>

<rule id="18136" level="5">
<if_sid>18106</if_sid>
<id>^535$</id>
<description>Logon Failure - Account's password expired.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com196.html</info>
<info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=535</info>
<group>win_authentication_failed,</group>
</rule>

Expand Down Expand Up @@ -298,7 +298,7 @@
<if_sid>18104</if_sid>
<id>^671$|^4767$</id>
<description>User account unlocked.</description>
<info type="link">http://www.ultimatewindowssecurity.com/events/com291.html</info>
<info type="link">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767</info>
<group>account_changed,</group>
</rule>

Expand Down Expand Up @@ -848,23 +848,23 @@
<match>Failure Code: 0x1F</match>
<description>Windows DC integrity check on decrypted </description>
<description>field failed.</description>
<info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>
<!--<info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>-->
<group>win_authentication_failed,attacks,</group>
</rule>

<rule id="18171" level="10">
<if_sid>18139</if_sid>
<match>Failure Code: 0x22</match>
<description>Windows DC - Possible replay attack.</description>
<info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>
<!--<info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>-->
<group>win_authentication_failed,attacks,</group>
</rule>

<rule id="18172" level="7">
<if_sid>18139</if_sid>
<match>Failure Code: 0x25</match>
<description>Windows DC - Clock skew too great.</description>
<info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>
<!--<info type="link">http://www.ultimatewindowssecurity.com/kerberrors.html</info>-->
<group>win_authentication_failed,attacks,</group>
</rule>

Expand Down

0 comments on commit dcb922c

Please sign in to comment.