Hello, I simply want to test the rule for DDOS Attack,which is discussed previously: local_rules.xml: <group name="attack,">
<rule id="200000" level="15" timeframe="300" frequency="3"> <if_matched_group>attacks|attack|automatic_attack</if_matched_group> <same_source_ip /> <description>Attacks from same source IP</description> </rule> </group> But this is not working. I get errors while adding this new rule. What is the possible solution for making this rule work? On Wednesday, August 23, 2017 at 5:46:17 PM UTC+5:30, dan (ddpbsd) wrote: > > > > On Aug 23, 2017 6:18 AM, "Ritu Soni" <ritu.s...@gmail.com <javascript:>> > wrote: > > Hello, > My work requirement is that OSSEC should generate an alert " Attack > Detected " ,when the request from same ip address is received by the server > for 3 or more times within 300 seconds. > I have done changes in syslog_rules.xml file: > *<rule id="1002" level="2" time_frame="300" frequency="3">* > * <if_matched_group>attacks|attack|automatic_attack</if_matched_group>* > * <options>alert_by_email</options>* > * <description>DDOS Attack Detected</description>* > * </rule>* > But when i restart OSSEC,it generates an error msg: > *OSSEC analysisd: Testing rules failed. Configuration error. Exiting*. > > Are these changes made correct?if not, please suggest the changes to > achieve the same. > > > > I don't see anything obviously incorrect with the changes. I'm not sure > if_matched_group accepts multiple groups, or if they are pipe delimited > though. Getting the actual errors (from logtest -t or the ossec.log) might > help. > > Stylistically though, modifying the rules files (except local_rules.xml) > is a bad idea. Changes will be overwritten during updates. Also, I consider > rule 1002 to be very important, and changing it isn't something I > encourage. > > > > On Monday, August 21, 2017 at 10:43:53 PM UTC+5:30, dan (ddpbsd) wrote: > >> >> >> On Aug 21, 2017 1:07 PM, "Ritu Soni" <ritu.s...@gmail.com> wrote: >> >> Hey, >> When i perform any changes to xml files, ossec stopped working. >> should i use ''make" command for those changes to work or any other >> command after performing the changes ? >> >> >> >> You can run `ossec-logtest -t` to test your changes before reatarting >> ossec. If there are issues, it should display error messages. >> >> >>> >> >> On Monday, August 21, 2017 at 10:25:45 PM UTC+5:30, dan (ddpbsd) wrote: >>> >>> >>> >>> On Aug 21, 2017 12:54 PM, "Ritu Soni" <ritu.s...@gmail.com> wrote: >>> >>> hello, >>> I have installed OSSEC on UBUNTU server. >>> I want to perform changes in OSSEC rules, so that it can detect an >>> attack and display an alert like "DDOS Attack". >>> Is it possible to perform changes in rules of OSSEC using xml files? >>> What could be the possible method for this, please guide me. >>> >>> >>> Local additiona or changes to the rules can be done in >>> /var/ossec/rules/local_rules.xml >>> >>> >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.