On Aug 24, 2017 12:56 PM, "Ritu Soni" <ritu.soni9...@gmail.com> wrote:
Ok, thanks. have you added the rule in local_rules.xml file? or any other xml file? I added it to my local_rules.xml file, outside of the </group> tag near the bottom. On Thursday, August 24, 2017 at 6:14:56 PM UTC+5:30, dan (ddpbsd) wrote: > > On Thu, Aug 24, 2017 at 8:35 AM, dan (ddp) <ddp...@gmail.com> wrote: > > > > > > On Aug 24, 2017 4:40 AM, "Ritu Soni" <ritu.s...@gmail.com> wrote: > > > > Hello, ok > > > I simply want to test the rule for DDOS Attack,which is discussed > > previously: > > local_rules.xml: > > <group name="attack,"> > > > > > > <rule id="200000" level="15" timeframe="300" frequency="3"> > > > > <if_matched_group>attacks|attack|automatic_attack</if_matched_group> > > > > > <same_source_ip /> > > <description>Attacks from same source IP</description> > > </rule> > > > > > > </group> > > But this is not working. I get errors while adding this new rule. > > What is the possible solution for making this rule work? > > > > > > Keeping those errors a secret is bot going to help me help you solve the > > problem. Either look at the errors and troubleshoot your problem, or > share > > them and let me do it. > > > > Testing this rule provided me with no errors, so my first guess is > that you have the <group> tag inside of another <group> tag. > > > > > > > On Wednesday, August 23, 2017 at 5:46:17 PM UTC+5:30, dan (ddpbsd) > wrote: > >> > >> > >> > >> On Aug 23, 2017 6:18 AM, "Ritu Soni" <ritu.s...@gmail.com> wrote: > >> > >> Hello, > >> My work requirement is that OSSEC should generate an alert " Attack > >> Detected " ,when the request from same ip address is received by the > server > >> for 3 or more times within 300 seconds. > >> I have done changes in syslog_rules.xml file: > >> <rule id="1002" level="2" time_frame="300" frequency="3"> > >> <if_matched_group>attacks|attack|automatic_attack</if_matched_group> > > >> <options>alert_by_email</options> > >> <description>DDOS Attack Detected</description> > >> </rule> > >> But when i restart OSSEC,it generates an error msg: > >> OSSEC analysisd: Testing rules failed. Configuration error. Exiting. > >> > >> Are these changes made correct?if not, please suggest the changes to > >> achieve the same. > >> > >> > >> > >> I don't see anything obviously incorrect with the changes. I'm not sure > >> if_matched_group accepts multiple groups, or if they are pipe delimited > >> though. Getting the actual errors (from logtest -t or the ossec.log) > might > >> help. > >> > >> Stylistically though, modifying the rules files (except > local_rules.xml) > >> is a bad idea. Changes will be overwritten during updates. Also, I > consider > >> rule 1002 to be very important, and changing it isn't something I > encourage. > >> > >> > >> > >> On Monday, August 21, 2017 at 10:43:53 PM UTC+5:30, dan (ddpbsd) wrote: > >>> > >>> > >>> > >>> On Aug 21, 2017 1:07 PM, "Ritu Soni" <ritu.s...@gmail.com> wrote: > >>> > >>> Hey, > >>> When i perform any changes to xml files, ossec stopped working. > >>> should i use ''make" command for those changes to work or any other > >>> command after performing the changes ? > >>> > >>> > >>> > >>> You can run `ossec-logtest -t` to test your changes before reatarting > >>> ossec. If there are issues, it should display error messages. > >>>> > >>>> > >>> > >>> > >>> On Monday, August 21, 2017 at 10:25:45 PM UTC+5:30, dan (ddpbsd) > wrote: > >>>> > >>>> > >>>> > >>>> On Aug 21, 2017 12:54 PM, "Ritu Soni" <ritu.s...@gmail.com> wrote: > >>>> > >>>> hello, > >>>> I have installed OSSEC on UBUNTU server. > >>>> I want to perform changes in OSSEC rules, so that it can detect an > >>>> attack and display an alert like "DDOS Attack". > >>>> Is it possible to perform changes in rules of OSSEC using xml files? > >>>> What could be the possible method for this, please guide me. > >>>> > >>>> > >>>> Local additiona or changes to the rules can be done in > >>>> /var/ossec/rules/local_rules.xml > >>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> > >>>> --- > >>>> You received this message because you are subscribed to the Google > >>>> Groups "ossec-list" group. > >>>> To unsubscribe from this group and stop receiving emails from it, > send > >>>> an email to ossec-list+...@googlegroups.com. > >>>> > >>>> For more options, visit https://groups.google.com/d/optout. > >>>> > >>>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > Groups > >>> "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an > >>> email to ossec-list+...@googlegroups.com. > >>> For more options, visit https://groups.google.com/d/optout. > >>> > >>> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to ossec-list+...@googlegroups.com. > >> For more options, visit https://groups.google.com/d/optout. > >> > >> > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
