On Aug 24, 2017 4:40 AM, "Ritu Soni" <ritu.soni9...@gmail.com> wrote:
Hello,
I simply want to test the rule for DDOS Attack,which is discussed
previously:
local_rules.xml:
<group name="attack,">
<rule id="200000" level="15" timeframe="300" frequency="3">
<if_matched_group>attacks|attack|automatic_attack</if_matched_group>
<same_source_ip />
<description>Attacks from same source IP</description>
</rule>
</group>
But this is not working. I get errors while adding this new rule.
What is the possible solution for making this rule work?
Keeping those errors a secret is bot going to help me help you solve the
problem. Either look at the errors and troubleshoot your problem, or share
them and let me do it.
On Wednesday, August 23, 2017 at 5:46:17 PM UTC+5:30, dan (ddpbsd) wrote:
>
>
> On Aug 23, 2017 6:18 AM, "Ritu Soni" <ritu.s...@gmail.com> wrote:
>
> Hello,
> My work requirement is that OSSEC should generate an alert " Attack
> Detected " ,when the request from same ip address is received by the server
> for 3 or more times within 300 seconds.
> I have done changes in syslog_rules.xml file:
> *<rule id="1002" level="2" time_frame="300" frequency="3">*
> * <if_matched_group>attacks|attack|automatic_attack</if_matched_group>*
> * <options>alert_by_email</options>*
> * <description>DDOS Attack Detected</description>*
> * </rule>*
> But when i restart OSSEC,it generates an error msg:
> *OSSEC analysisd: Testing rules failed. Configuration error. Exiting*.
>
> Are these changes made correct?if not, please suggest the changes to
> achieve the same.
>
>
>
> I don't see anything obviously incorrect with the changes. I'm not sure
> if_matched_group accepts multiple groups, or if they are pipe delimited
> though. Getting the actual errors (from logtest -t or the ossec.log) might
> help.
>
> Stylistically though, modifying the rules files (except local_rules.xml)
> is a bad idea. Changes will be overwritten during updates. Also, I consider
> rule 1002 to be very important, and changing it isn't something I
> encourage.
>
>
>
> On Monday, August 21, 2017 at 10:43:53 PM UTC+5:30, dan (ddpbsd) wrote:
>
>>
>>
>> On Aug 21, 2017 1:07 PM, "Ritu Soni" <ritu.s...@gmail.com> wrote:
>>
>> Hey,
>> When i perform any changes to xml files, ossec stopped working.
>> should i use ''make" command for those changes to work or any other
>> command after performing the changes ?
>>
>>
>>
>> You can run `ossec-logtest -t` to test your changes before reatarting
>> ossec. If there are issues, it should display error messages.
>>
>>
>>>
>>
>> On Monday, August 21, 2017 at 10:25:45 PM UTC+5:30, dan (ddpbsd) wrote:
>>>
>>>
>>>
>>> On Aug 21, 2017 12:54 PM, "Ritu Soni" <ritu.s...@gmail.com> wrote:
>>>
>>> hello,
>>> I have installed OSSEC on UBUNTU server.
>>> I want to perform changes in OSSEC rules, so that it can detect an
>>> attack and display an alert like "DDOS Attack".
>>> Is it possible to perform changes in rules of OSSEC using xml files?
>>> What could be the possible method for this, please guide me.
>>>
>>>
>>> Local additiona or changes to the rules can be done in
>>> /var/ossec/rules/local_rules.xml
>>>
>>>
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>>
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
