Hi Sebastian, not sure what could be the problem here. Did you figure it out?
Best On Wed, May 13, 2015 at 7:21 AM, skotthof < sebastian.kotth...@rz.uni-mannheim.de> wrote: > > OK, thank you. > I checked how to use CDBs now, seems this is really what I need. Really > cool! > Nevertheless, now I ran into that issue: > https://github.com/ossec/ossec-hids/issues/147 )-; > > I extended sshd rule "5710" with a own rule: > > <group name="syslog,sshd,"> > <rule id="20000" level="5"> > <if_sid>5710</if_sid> > <!-- <if_matched_sid>5710</if_matched_sid> --> > <!-- <same_source_ip /> --> > <list field="hostname">lists/testhosts.list</list> > <description>Attempt to login using a non-existent user</description> > </rule> > </group> > > Because I'm not shure, what "hostname" is at the moment, I putted > everything in my lists/testhosts.list > IP_ADDRESS->/var/log/auth.log: test > IP_ADDRESS: test > HOST: test > FQDN: test > > when I run ossec-logtest from ossec user or root, it seems to work: > > ----------------------------------- > ... /opt/ossec# sudo -u ossec ./bin/ossec-logtest > 2015/05/13 16:07:20 ossec-testrule: INFO: Reading local decoder file. > 2015/05/13 16:07:20 ossec-testrule: INFO: Reading the lists file: > 'lists/testhosts.list' > 2015/05/13 16:07:20 ossec-testrule: INFO: Started (pid: 3095). > ossec-testrule: Type one log per line. > > May 13 15:52:53 delft sshd[16328]: Failed password for invalid user test11 > from XX.XX.XX.XX port 38981 ssh2 > > > **Phase 1: Completed pre-decoding. > full event: 'May 13 15:52:53 delft sshd[16328]: Failed password for > invalid user test11 from XX.XX.XX.XX port 38981 ssh2' > hostname: 'delft' > program_name: 'sshd' > log: 'Failed password for invalid user test11 from XX.XX.XX.XX > port 38981 ssh2' > > **Phase 2: Completed decoding. > decoder: 'sshd' > srcip: ' XX.XX.XX.XX' > > **Phase 3: Completed filtering (rules). > Rule id: '20000' > Level: '5' > Description: 'Attempt to login using a non-existent user' > **Alert to be generated. > ----------------------------------- > So my rule with id 2000 seems to generate an alert. > > > But when I check logs/alerts/alerts.log and try to login in real, I get: > ----------------------------------- > ** Alert 1431526211.28025: - > syslog,sshd,invalid_login,authentication_failed, > 2015 May 13 16:10:11 (delft.DOMAIN) XX.XX.XX.XX->/var/log/auth.log > Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user' > Src IP: XX.XX.XX.XX > May 13 16:10:11 delft sshd[17432]: Invalid user test11 from XX.XX.XX.XX > > ** Alert 1431526213.28360: - syslog,access_control,authentication_failed, > 2015 May 13 16:10:13 (delft.DOMAIN) XX.XX.XX.XX->/var/log/auth.log > Rule: 2501 (level 5) -> 'User authentication failure.' > Src IP: ede.DOMAIN > May 13 16:10:12 delft sshd[17432]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ede.DOMAIN > > ** Alert 1431526215.28773: - > syslog,sshd,invalid_login,authentication_failed, > 2015 May 13 16:10:15 (delft.DOMAIN) XX.XX.XX.XX->/var/log/auth.log > Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user' > Src IP: XX.XX.XX.XX > May 13 16:10:14 delft sshd[17432]: Failed password for invalid user test11 > from XX.XX.XX.XX port 39052 ssh2 > ----------------------------------- > Here the 5710 is alerting. > > PS: My ossec is located under /opt/ossec and yes, I have a hybrid server > (server + local-agent + on_remote_agent) if this is important. > The ssh tests I run with the remote-agent. I restarted Ossec on both > machines several times. > > > Sebastian > > > On Tue, May 12, 2015 at 10:26:21AM -0700, Santiago Bassett wrote: > > You could probably use CDB lists in the rules > > On Tue, May 12, 2015 at 8:34 AM, skotthof > > <[1]sebastian.kotth...@rz.uni-mannheim.de> wrote: > > > > Hi, > > > > okay thanks. > > > > I have tested this by changing a rule for ssh login: > > > > <rule id="5710" level="5"> > > <if_sid>5700</if_sid> > > <match>illegal user|invalid user</match> > > <hostname>IP_ADDRESS_1->/var/log/auth.log</hostname> > > <hostname>IP_ADDRESS_1->/var/log/auth.log</hostname> > > <description>Attempt to login using a non-existent > > user</description> > > <group>invalid_login,authentication_failed,</group> > > </rule> > > > > Unfortunately it is not possible to put multiple <hostname> lines > like > > in the example. The least one overrides the others. > > So I would have to create multiple versions of that rule > > with different IDs, for every agent. > > Then there will be the problem, that I will also need multiple rules > > where <if_matched_sid>5710</if_matched_sid> is defined. > > > > This is all concerning ossec-analysisd, right? > > I think multiple hostnames will depend on the type of the hostname > > variable in src/analysisd/rules.h > > > > typedef struct _RuleInfo > > { > > ... > > OSMatch *hostname; > > ... > > > > I think at the moment this is only one single hostname > > (src/os_regex/os_regex.h). > > > > So any chance to put multiple hostnames in one rule? > > Or other ideas? > > > > Thank you again for you nice help, > > > > Sebastian > > On Tue, May 12, 2015 at 10:41:46AM -0400, dan (ddp) wrote: > > > On Tue, May 12, 2015 at 10:25 AM, skotthof > > > <[2]sebastian.kotth...@rz.uni-mannheim.de> wrote: > > > > Thanks for your answer. > > > > The location option itself seems to be valid only for the > > <localfile> stuff. > > > > This will concern the log files againn not the rules. > > > > > > > > > > You're right, I think I meant <hostname>. I can never remember > which > > > one is the right one. > > > > > > > The manual for rules only mentions something like > > > > "same_location" / "same_source_ip". > > > > > > [3] > http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html > > > > > > > > Not shure how this should works. Is there an example out there? > > > > Anyway, it seems, that this will only work for single agents. > > > > Is there a way to group some agents and put some special rules > > > > to that group? > > > > > > > > Sorry for asking again, but I'm quite unsure about that. > > > > > > > > Thank you > > > > > > > > Sebastian > > > > > > > > > > > > On Tue, May 12, 2015 at 10:05:28AM -0400, dan (ddp) wrote: > > > >> On Tue, May 12, 2015 at 6:30 AM, skotthof > > > >> <[4]sebastian.kotth...@rz.uni-mannheim.de> wrote: > > > >> > Hi, > > > >> > > > > >> > we tried out ossec here, realy nice software! > > > >> > > > > >> > I wondering, if it is possible, to define rules also > > > >> > for specific hosts or profiles. > > > >> > > > > >> > For example: > > > >> > On all nodes, we like to be alerted, if ssh login > > > >> > fails because of wrong passwords. > > > >> > On some hosts only, we like to receive alerts also > > > >> > when somebody login correctly via ssh. > > > >> > > > > >> > Both kind of logs going usually to /var/log/auth.log > > > >> > Is it possible now, use different rules on that file at the > > server, > > > >> > depending on the agent? > > > >> > > > > >> > > > >> I think the <location> rule option makes this possible. > > > >> <location>AGENTNAME</location> > > > >> > > > >> > Thank you very much, > > > >> > > > > >> > Sebastian > > > >> > > > > >> > -- > > > >> > Sebastian Kotthoff > > > >> > Rechenzentrum > > > >> > Universität Mannheim > > > >> > B6, 23-29; Building B; Room 1.10 > > > >> > 68159 Mannheim > > > >> > > > > >> > Tel: [5]+49 621 181 2516 > > > >> > Fax: [6]+49 621 181 2682 > > > >> > > > > >> > -- > > > >> > > > > >> > --- > > > >> > You received this message because you are subscribed to the > > Google Groups "ossec-list" group. > > > >> > To unsubscribe from this group and stop receiving emails > from it, > > send an email to [7]ossec-list+unsubscr...@googlegroups.com. > > > >> > For more options, visit [8] > https://groups.google.com/d/optout. > > > >> > > > >> -- > > > >> > > > >> --- > > > >> You received this message because you are subscribed to the > Google > > Groups "ossec-list" group. > > > >> To unsubscribe from this group and stop receiving emails from > it, > > send an email to [9]ossec-list+unsubscr...@googlegroups.com. > > > >> For more options, visit [10]https://groups.google.com/d/optout > . > > > >> > > > > > > > > -- > > > > Sebastian Kotthoff > > > > Rechenzentrum > > > > Universität Mannheim > > > > B6, 23-29; Building B; Room 1.10 > > > > 68159 Mannheim > > > > > > > > Tel: [11]+49 621 181 2516 > > > > Fax: [12]+49 621 181 2682 > > > > > > > > -- > > > > > > > > --- > > > > You received this message because you are subscribed to the > Google > > Groups "ossec-list" group. > > > > To unsubscribe from this group and stop receiving emails from > it, > > send an email to [13]ossec-list+unsubscr...@googlegroups.com. > > > > For more options, visit [14]https://groups.google.com/d/optout. > > > > > > -- > > > > > > --- > > > You received this message because you are subscribed to the Google > > Groups "ossec-list" group. > > > To unsubscribe from this group and stop receiving emails from it, > send > > an email to [15]ossec-list+unsubscr...@googlegroups.com. > > > For more options, visit [16]https://groups.google.com/d/optout. > > > > > > > -- > > Sebastian Kotthoff > > Rechenzentrum > > Universität Mannheim > > B6, 23-29; Building B; Room 1.10 > > 68159 Mannheim > > > > Tel: [17]+49 621 181 2516 > > Fax: [18]+49 621 181 2682 > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, > send > > an email to [19]ossec-list+unsubscr...@googlegroups.com. > > For more options, visit [20]https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, > send an > > email to [21]ossec-list+unsubscr...@googlegroups.com. > > For more options, visit [22]https://groups.google.com/d/optout. > > > > References > > > > Visible links > > 1. mailto:sebastian.kotth...@rz.uni-mannheim.de > > 2. mailto:sebastian.kotth...@rz.uni-mannheim.de > > 3. http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html > > 4. mailto:sebastian.kotth...@rz.uni-mannheim.de > > 5. file:///tmp/tel:%2B49%20621%20181%202516 > > 6. file:///tmp/tel:%2B49%20621%20181%202682 > > 7. mailto:ossec-list%2bunsubscr...@googlegroups.com > > 8. https://groups.google.com/d/optout > > 9. mailto:ossec-list%2bunsubscr...@googlegroups.com > > 10. https://groups.google.com/d/optout > > 11. file:///tmp/tel:%2B49%20621%20181%202516 > > 12. file:///tmp/tel:%2B49%20621%20181%202682 > > 13. mailto:ossec-list%2bunsubscr...@googlegroups.com > > 14. https://groups.google.com/d/optout > > 15. mailto:ossec-list%2bunsubscr...@googlegroups.com > > 16. https://groups.google.com/d/optout > > 17. file:///tmp/tel:%2B49%20621%20181%202516 > > 18. file:///tmp/tel:%2B49%20621%20181%202682 > > 19. mailto:ossec-list%2bunsubscr...@googlegroups.com > > 20. https://groups.google.com/d/optout > > 21. mailto:ossec-list+unsubscr...@googlegroups.com > > 22. https://groups.google.com/d/optout > > -- > Sebastian Kotthoff > Rechenzentrum > Universität Mannheim > B6, 23-29; Building B; Room 1.10 > 68159 Mannheim > > Tel: +49 621 181 2516 > Fax: +49 621 181 2682 > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.