[ossec-list] getting autentication alerts from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Hello, On ossec 2.8.3 I am trying to get alerts only for rdp autentications alerts from windows agents. These events are shown in the event log Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational for example with eventID 1149 I have in my windows agents conf file Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational eventchannel - on the server in my local_rules.xml I have Remote Desktop Services Remote Desktop Connection Established I get no messages from the remote client (that sends alerts if I use Security ) I see some traffic from client to server with tcpdump if I generate 1149 logon events But no evidence even with yes in ossec server. Anyone can share some insight? Many thanks g. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Testing OSSEC
On Aug 23, 2017 6:18 AM, "Ritu Soni"wrote: Hello, My work requirement is that OSSEC should generate an alert " Attack Detected " ,when the request from same ip address is received by the server for 3 or more times within 300 seconds. I have done changes in syslog_rules.xml file: ** *attacks|attack|automatic_attack* *alert_by_email* *DDOS Attack Detected* * * But when i restart OSSEC,it generates an error msg: *OSSEC analysisd: Testing rules failed. Configuration error. Exiting*. Are these changes made correct?if not, please suggest the changes to achieve the same. I don't see anything obviously incorrect with the changes. I'm not sure if_matched_group accepts multiple groups, or if they are pipe delimited though. Getting the actual errors (from logtest -t or the ossec.log) might help. Stylistically though, modifying the rules files (except local_rules.xml) is a bad idea. Changes will be overwritten during updates. Also, I consider rule 1002 to be very important, and changing it isn't something I encourage. On Monday, August 21, 2017 at 10:43:53 PM UTC+5:30, dan (ddpbsd) wrote: > > > On Aug 21, 2017 1:07 PM, "Ritu Soni" wrote: > > Hey, > When i perform any changes to xml files, ossec stopped working. > should i use ''make" command for those changes to work or any other > command after performing the changes ? > > > > You can run `ossec-logtest -t` to test your changes before reatarting > ossec. If there are issues, it should display error messages. > > >> > > On Monday, August 21, 2017 at 10:25:45 PM UTC+5:30, dan (ddpbsd) wrote: >> >> >> >> On Aug 21, 2017 12:54 PM, "Ritu Soni" wrote: >> >> hello, >> I have installed OSSEC on UBUNTU server. >> I want to perform changes in OSSEC rules, so that it can detect an attack >> and display an alert like "DDOS Attack". >> Is it possible to perform changes in rules of OSSEC using xml files? >> What could be the possible method for this, please guide me. >> >> >> Local additiona or changes to the rules can be done in >> /var/ossec/rules/local_rules.xml >> >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Re: Testing OSSEC
Hello, My work requirement is that OSSEC should generate an alert " Attack Detected " ,when the request from same ip address is received by the server for 3 or more times within 300 seconds. I have done changes in syslog_rules.xml file: ** *attacks|attack|automatic_attack* *alert_by_email* *DDOS Attack Detected* * * But when i restart OSSEC,it generates an error msg: *OSSEC analysisd: Testing rules failed. Configuration error. Exiting*. Are these changes made correct?if not, please suggest the changes to achieve the same. On Monday, August 21, 2017 at 10:43:53 PM UTC+5:30, dan (ddpbsd) wrote: > > > > On Aug 21, 2017 1:07 PM, "Ritu Soni"> wrote: > > Hey, > When i perform any changes to xml files, ossec stopped working. > should i use ''make" command for those changes to work or any other > command after performing the changes ? > > > > You can run `ossec-logtest -t` to test your changes before reatarting > ossec. If there are issues, it should display error messages. > > >> > > On Monday, August 21, 2017 at 10:25:45 PM UTC+5:30, dan (ddpbsd) wrote: >> >> >> >> On Aug 21, 2017 12:54 PM, "Ritu Soni" wrote: >> >> hello, >> I have installed OSSEC on UBUNTU server. >> I want to perform changes in OSSEC rules, so that it can detect an attack >> and display an alert like "DDOS Attack". >> Is it possible to perform changes in rules of OSSEC using xml files? >> What could be the possible method for this, please guide me. >> >> >> Local additiona or changes to the rules can be done in >> /var/ossec/rules/local_rules.xml >> >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com . > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.