On Aug 23, 2017 6:18 AM, "Ritu Soni" <ritu.soni9...@gmail.com> wrote:
Hello, My work requirement is that OSSEC should generate an alert " Attack Detected " ,when the request from same ip address is received by the server for 3 or more times within 300 seconds. I have done changes in syslog_rules.xml file: *<rule id="1002" level="2" time_frame="300" frequency="3">* * <if_matched_group>attacks|attack|automatic_attack</if_matched_group>* * <options>alert_by_email</options>* * <description>DDOS Attack Detected</description>* * </rule>* But when i restart OSSEC,it generates an error msg: *OSSEC analysisd: Testing rules failed. Configuration error. Exiting*. Are these changes made correct?if not, please suggest the changes to achieve the same. I don't see anything obviously incorrect with the changes. I'm not sure if_matched_group accepts multiple groups, or if they are pipe delimited though. Getting the actual errors (from logtest -t or the ossec.log) might help. Stylistically though, modifying the rules files (except local_rules.xml) is a bad idea. Changes will be overwritten during updates. Also, I consider rule 1002 to be very important, and changing it isn't something I encourage. On Monday, August 21, 2017 at 10:43:53 PM UTC+5:30, dan (ddpbsd) wrote: > > > On Aug 21, 2017 1:07 PM, "Ritu Soni" <ritu.s...@gmail.com> wrote: > > Hey, > When i perform any changes to xml files, ossec stopped working. > should i use ''make" command for those changes to work or any other > command after performing the changes ? > > > > You can run `ossec-logtest -t` to test your changes before reatarting > ossec. If there are issues, it should display error messages. > > >> > > On Monday, August 21, 2017 at 10:25:45 PM UTC+5:30, dan (ddpbsd) wrote: >> >> >> >> On Aug 21, 2017 12:54 PM, "Ritu Soni" <ritu.s...@gmail.com> wrote: >> >> hello, >> I have installed OSSEC on UBUNTU server. >> I want to perform changes in OSSEC rules, so that it can detect an attack >> and display an alert like "DDOS Attack". >> Is it possible to perform changes in rules of OSSEC using xml files? >> What could be the possible method for this, please guide me. >> >> >> Local additiona or changes to the rules can be done in >> /var/ossec/rules/local_rules.xml >> >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
