Hi Martin, the problem is that this log also matches with rule 2501 (from Syslog) that has level 5. Since your rule 100201 has level 1 OSSEC discards it in favor of rule 2501.
So increasing the level to 6 it should work: <rule id="100201" level="6"> <decoded_as>app.ERROR</decoded_as> <description >Multiple login attempts bepark.eu/fr/connexion</description> </rule> <rule id="100202" level="7" frequency="10" timeframe="60"> <if_matched_sid>100201 </if_matched_sid> <same_source_ip /> <description>Multiple login attempts bepark.eu/fr/connexion</description> <group>authentication_failures,</group> </rule> Hope it help. Best regards. On Thu, Mar 23, 2017 at 9:37 AM, Martin <martin...@gmail.com> wrote: > Hello, > > I've those kind of log comming from a custom app > >> >> [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: >> 172.17.0.1 [] [] > > > I'm trying to block an ip with to much authentication failure. > > So I did a custom decoder which is working ; > > <decoder name="app.ERROR"> > <prematch>^\p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p </prematch> > </decoder> > > > <decoder name="app.ERROR-verify-login"> > <parent>app.ERROR</parent> > <regex offset="after_parent">^app.ERROR: \.+ (\S+) for IP: (\S+) > (\.+)\s(\.+)$</regex> > <order>status,srcip,extra_data,extra_data</order> > </decoder> > > and I want theses rules working with this log . > > <rule id="100201" level="1"> > <decoded_as>app.ERROR</decoded_as> > <description>Multiple login attempts bepark.eu/fr/connexion</ > description> > </rule> > > > <rule id="100202" level="7" frequency="10" timeframe="60"> > <if_matched_sid>100201</if_matched_sid> > <same_source_ip /> > <description>Multiple login attempts bepark.eu/fr/connexion</ > description> > <group>authentication_failures,</group> > </rule> > > > But this what I get when testing with */var/ossec/bin/ossec-logtest* > > > > [2017-03-23 10:18:01] app.ERROR: Authentication failure for IP: 172.17.0.1 > [] [] > > > > > **Phase 1: Completed pre-decoding. > full event: '[2017-03-23 10:18:01] app.ERROR: Authentication > failure for IP: 172.17.0.1 [] []' > hostname: 'Digital-Ocean-1' > program_name: '(null)' > log: '[2017-03-23 10:18:01] app.ERROR: Authentication failure for > IP: 172.17.0.1 [] []' > > > **Phase 2: Completed decoding. > decoder: 'app.ERROR' > status: 'failure' > srcip: '172.17.0.1' > extra_data: '[]' > extra_data: '[]' > > > **Phase 3: Completed filtering (rules). > Rule id: '2501' > Level: '5' > Description: 'User authentication failure.' > **Alert to be generated. > > why are my rules not working over the 2501 one ? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
