On Thu, Aug 24, 2017 at 8:35 AM, dan (ddp) <ddp...@gmail.com> wrote: > > > On Aug 24, 2017 4:40 AM, "Ritu Soni" <ritu.soni9...@gmail.com> wrote: > > Hello, > I simply want to test the rule for DDOS Attack,which is discussed > previously: > local_rules.xml: > <group name="attack,"> > > > <rule id="200000" level="15" timeframe="300" frequency="3"> > > <if_matched_group>attacks|attack|automatic_attack</if_matched_group> > > <same_source_ip /> > <description>Attacks from same source IP</description> > </rule> > > > </group> > But this is not working. I get errors while adding this new rule. > What is the possible solution for making this rule work? > > > Keeping those errors a secret is bot going to help me help you solve the > problem. Either look at the errors and troubleshoot your problem, or share > them and let me do it. >
Testing this rule provided me with no errors, so my first guess is that you have the <group> tag inside of another <group> tag. > > > On Wednesday, August 23, 2017 at 5:46:17 PM UTC+5:30, dan (ddpbsd) wrote: >> >> >> >> On Aug 23, 2017 6:18 AM, "Ritu Soni" <ritu.s...@gmail.com> wrote: >> >> Hello, >> My work requirement is that OSSEC should generate an alert " Attack >> Detected " ,when the request from same ip address is received by the server >> for 3 or more times within 300 seconds. >> I have done changes in syslog_rules.xml file: >> <rule id="1002" level="2" time_frame="300" frequency="3"> >> <if_matched_group>attacks|attack|automatic_attack</if_matched_group> >> <options>alert_by_email</options> >> <description>DDOS Attack Detected</description> >> </rule> >> But when i restart OSSEC,it generates an error msg: >> OSSEC analysisd: Testing rules failed. Configuration error. Exiting. >> >> Are these changes made correct?if not, please suggest the changes to >> achieve the same. >> >> >> >> I don't see anything obviously incorrect with the changes. I'm not sure >> if_matched_group accepts multiple groups, or if they are pipe delimited >> though. Getting the actual errors (from logtest -t or the ossec.log) might >> help. >> >> Stylistically though, modifying the rules files (except local_rules.xml) >> is a bad idea. Changes will be overwritten during updates. Also, I consider >> rule 1002 to be very important, and changing it isn't something I encourage. >> >> >> >> On Monday, August 21, 2017 at 10:43:53 PM UTC+5:30, dan (ddpbsd) wrote: >>> >>> >>> >>> On Aug 21, 2017 1:07 PM, "Ritu Soni" <ritu.s...@gmail.com> wrote: >>> >>> Hey, >>> When i perform any changes to xml files, ossec stopped working. >>> should i use ''make" command for those changes to work or any other >>> command after performing the changes ? >>> >>> >>> >>> You can run `ossec-logtest -t` to test your changes before reatarting >>> ossec. If there are issues, it should display error messages. >>>> >>>> >>> >>> >>> On Monday, August 21, 2017 at 10:25:45 PM UTC+5:30, dan (ddpbsd) wrote: >>>> >>>> >>>> >>>> On Aug 21, 2017 12:54 PM, "Ritu Soni" <ritu.s...@gmail.com> wrote: >>>> >>>> hello, >>>> I have installed OSSEC on UBUNTU server. >>>> I want to perform changes in OSSEC rules, so that it can detect an >>>> attack and display an alert like "DDOS Attack". >>>> Is it possible to perform changes in rules of OSSEC using xml files? >>>> What could be the possible method for this, please guide me. >>>> >>>> >>>> Local additiona or changes to the rules can be done in >>>> /var/ossec/rules/local_rules.xml >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
