Hi, there are several DDOS attack types: UDP/SYN/ICMP/HTTP flood, ping of the death, etc. If these attacks do not generate a log that OSSEC can read, the attack will not be detected.
Try to detect the DDOS attack in your machine manually: review apache logs, netstat or an specific tool to detect these types of attacks. Then, we can send the information obtained to OSSEC and play with specific rules or active response to block the attack. On Tuesday, May 10, 2016 at 8:28:21 PM UTC+2, Jiri wrote: > > HI, thanks for your response. I am using XOIC and also RDOS tu simulate > DDOS attack but both are not working. The web ui are not detecting any > attack and on RDOS it looks like the software aren't even connected to the > server. > > On Friday, May 6, 2016 at 5:45:58 PM UTC+8, Jesus Linares wrote: >> >> Hi Jiri, >> >> also you can run the command "/var/ossec/bin/agent_control -lc" to get >> the connected agents. Keep in mind that in order to know if an agent is >> connected, disconnected or never connected OSSEC reads the modification >> date of the files in /var/ossec/queue/agent-info/*: >> >> - if there is no file for the agent the status is never connected >> - if the modification time of the file is less than a defined >> tiemout, the status is actived. If it is greater then the status is >> disconnected. >> >> The timeout is 3*NOTIFY_TIME+30, NOTIFY_TIME by default is 600 seconds. >> >> Regarding the rules to detect DDOS attacks, you could create something >> like this: >> >> local_rules.xml: >> <group name="attack,"> >> >> >> <rule id="200000" level="15" timeframe="300" frequency="3"> >> <if_matched_group>attacks|attack|automatic_attack >> </if_matched_group> >> <same_source_ip /> >> <description>Attacks from same source IP</description> >> </rule> >> >> >> </group> >> >> You are saying: if one of these groups (attack, attacks or >> automatic_attack) have matched in the last 300 seconds more than 5 times >> (frecuency + 2) and the event comes from the same ip, it could be a DDOS >> attack. You can play with the variables (tiemframe and frecuency) or create >> new rules with a specific group and append it to the rule. >> >> Regards. >> Jesus Linares. >> >> >> >> On Thursday, May 5, 2016 at 8:44:50 PM UTC+2, dan (ddpbsd) wrote: >>> >>> On Thu, May 5, 2016 at 2:12 PM, Jiri <necrosi...@gmail.com> wrote: >>> > Hi, >>> > >>> > I just finished installing ossec on ubuntu as a server and windows >>> agent on >>> > another computer. How do i test if my agent is successfully connected >>> to me? >>> > Also, can someone help me on creating rules to detect an a ddos attack >>> or >>> > any attack on my server? >>> > >>> >>> On the server you can run `/var/ossec/bin/list_agents -c` to see the >>> connected agents. >>> Check out the rules that already exist in /var/ossec/rules. They >>> should be useful as a template. >>> If you still need help, please ask. >>> >>> > Thanks, >>> > Regards. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
