subject:"Re\: \[ossec\-list\] Duplicate rule error"

Re: [ossec-list] Duplicate rule error

2018-04-06 Thread dan (ddp)

On Thu, Apr 5, 2018 at 6:39 PM, Cooper  wrote:
> Do I need to leave those rule ID's as they were?  I'm guessing overwrite
> means that they overrule the other rule's with the same ID's?
>

Looks like you fixed it, but an answer on the list might help someone else.
Overwrite does what it says, it overrides another rule.

The OSSEC provided rules files will be overwritten during an upgrade,
so to allow users to change those rules the overwrite option was
added.
A rule in local_rules.xml with the overwrite option will be used
instead of the rule with that same ID in another rule file.

>
> On Thursday, April 5, 2018 at 4:34:03 PM UTC-6, Cooper wrote:
>>
>> Well that helped with the duplicate rule errors, so thank you for that!
>> Now I am getting an overwrite rule error:
>>
>> 2018/04/05 17:30:17 ossec-analysisd: Overwrite rule '120028' not found.
>> 2018/04/05 17:30:17 ossec-testrule(1220): ERROR: Error loading the rules:
>> 'local_rules.xml'.
>>
>> Here is the rule it is referencing (there are several after it that I'm
>> sure will error out as well):
>>
>> 
>>   
>> ar_log
>> Active Response Custom Messages Grouped
>> active_response,
>>   
>>
>>
>> On Thursday, April 5, 2018 at 2:00:22 PM UTC-6, Cooper wrote:
>>>
>>> Oh interesting! I assumed it was "unique" to that rule file. I'll try
>>> re-IDing them and see what happens.
>>>
>>> On Thu, Apr 5, 2018 at 1:36 PM dan (ddp)  wrote:

 On Thu, Apr 5, 2018 at 11:04 AM, Cooper
 > Here's the rule from the error:
 >
 > 
 >   
 >  esm
 > authentication_failed,
 > User authentication failure.
 >   
 > 
 >
 > If I comment it out, it just says the next rule is a duplicate, and so
 > on
 > and so on.  None are overwrite rules.
 >

 Here's rule 2501 in OSSEC

 (https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130):
 
   
   FAILED LOGIN |authentication failure|
   Authentication failed for|invalid password for|
   LOGIN FAILURE|auth failure: |authentication error|
   authinternal failed|Failed to authorize|
   Wrong password given for|login failed|Auth: Login
 incorrect|
   Failed to authenticate user
   authentication_failed,
   User authentication failure.
 

 So it looks like the custom rules implemented in your environment are
 using the ID ranges used by the project.
 I think rule id 10+ are reserved for custom rules.
 Anything below that could be used by the project at any time, possibly
 conflicting with custom rules using the wrong ranges.

 > On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote:
 >>
 >>
 >>
 >> On Wed, Apr 4, 2018, 8:56 PM Cooper  wrote:
 >>>
 >>> Sorry Dan, I'm horribly new to managing ossec (yesterday).  How
 >>> would I
 >>> know that?
 >>
 >>
 >> Look for 'overwrite="yes"' in the rule.
 >>
 >>
 >>>
 >>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote:
 
 
 
  On Wed, Apr 4, 2018, 8:50 PM Cooper  wrote:
 >
 > When trying to start our new 2.9.3 ossec server, i receive the
 > following error:
 >
 > 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501
 > 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the
 > rules: 'local_rules.xml'.
 >
 > However, inside local_rules, there's only one rule with an ID of
 > 2501.
 > If I comment out that rule, it just says that the next rule is a
 > duplicate.
 > These rules are being migrated from a working 2.7.2 install.
 > Anyone run
 > into this before?
 
 
 
  Are these overwrite rules?
 
 > --
 >
 > ---
 > You received this message because you are subscribed to the Google
 > Groups "ossec-list" group.
 > To unsubscribe from this group and stop receiving emails from it,
 > send
 > an email to ossec-list+...@googlegroups.com.
 > For more options, visit https://groups.google.com/d/optout.
 >>>
 >>> --
 >>>
 >>> ---
 >>> You received this message because you are subscribed to the Google
 >>> Groups
 >>> "ossec-list" group.
 >>> To unsubscribe from this group and stop receiving emails from it,
 >>> send an
 >>> email to ossec-list+...@googlegroups.com.
 >>> For more options, visit https://groups.google.com/d/optout.
 >
 > --
 >
 > ---
 > You received this message because you are subscribed to the Google
 > Groups
 > "ossec-list" group.
 > To unsubscribe from this group and stop receiving emails from it, send
 > an
 > email to

Re: [ossec-list] Duplicate rule error

2018-04-05 Thread Cooper

Look to be all set now.  Thanks for your help, Dan!

Starting OSSEC HIDS 2.9.3 (by Trend Micro Inc.)...

Started ossec-maild...

Started ossec-execd...

Started ossec-analysisd...

Started ossec-logcollector...

Started ossec-remoted...

Started ossec-syscheckd...

Started ossec-monitord...

Completed.


On Thursday, April 5, 2018 at 4:39:50 PM UTC-6, Cooper wrote:
>
> Do I need to leave those rule ID's as they were?  I'm guessing overwrite 
> means that they overrule the other rule's with the same ID's?
>
> On Thursday, April 5, 2018 at 4:34:03 PM UTC-6, Cooper wrote:
>>
>> Well that helped with the duplicate rule errors, so thank you for that!  
>> Now I am getting an overwrite rule error:
>>
>> 2018/04/05 17:30:17 ossec-analysisd: Overwrite rule '120028' not found.
>> 2018/04/05 17:30:17 ossec-testrule(1220): ERROR: Error loading the rules: 
>> 'local_rules.xml'.
>>
>> Here is the rule it is referencing (there are several after it that I'm 
>> sure will error out as well):
>>
>> 
>>   
>> ar_log
>> Active Response Custom Messages Grouped
>> active_response,
>>   
>>
>>
>> On Thursday, April 5, 2018 at 2:00:22 PM UTC-6, Cooper wrote:
>>>
>>> Oh interesting! I assumed it was "unique" to that rule file. I'll try 
>>> re-IDing them and see what happens. 
>>>
>>> On Thu, Apr 5, 2018 at 1:36 PM dan (ddp)  wrote:
>>>
 On Thu, Apr 5, 2018 at 11:04 AM, Cooper
 > Here's the rule from the error:
 >
 > 
 >   
 >  esm
 > authentication_failed,
 > User authentication failure.
 >   
 > 
 >
 > If I comment it out, it just says the next rule is a duplicate, and 
 so on
 > and so on.  None are overwrite rules.
 >

 Here's rule 2501 in OSSEC
 (
 https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130
 ):
 
   
   FAILED LOGIN |authentication failure|
   Authentication failed for|invalid password for|
   LOGIN FAILURE|auth failure: |authentication error|
   authinternal failed|Failed to authorize|
   Wrong password given for|login failed|Auth: Login 
 incorrect|
   Failed to authenticate user
   authentication_failed,
   User authentication failure.
 

 So it looks like the custom rules implemented in your environment are
 using the ID ranges used by the project.
 I think rule id 10+ are reserved for custom rules.
 Anything below that could be used by the project at any time, possibly
 conflicting with custom rules using the wrong ranges.

 > On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote:
 >>
 >>
 >>
 >> On Wed, Apr 4, 2018, 8:56 PM Cooper  wrote:
 >>>
 >>> Sorry Dan, I'm horribly new to managing ossec (yesterday).  How 
 would I
 >>> know that?
 >>
 >>
 >> Look for 'overwrite="yes"' in the rule.
 >>
 >>
 >>>
 >>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote:
 
 
 
  On Wed, Apr 4, 2018, 8:50 PM Cooper  wrote:
 >
 > When trying to start our new 2.9.3 ossec server, i receive the
 > following error:
 >
 > 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501
 > 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the
 > rules: 'local_rules.xml'.
 >
 > However, inside local_rules, there's only one rule with an ID of 
 2501.
 > If I comment out that rule, it just says that the next rule is a 
 duplicate.
 > These rules are being migrated from a working 2.7.2 install.  
 Anyone run
 > into this before?
 
 
 
  Are these overwrite rules?
 
 > --
 >
 > ---
 > You received this message because you are subscribed to the Google
 > Groups "ossec-list" group.
 > To unsubscribe from this group and stop receiving emails from it, 
 send
 > an email to ossec-list+...@googlegroups.com.
 > For more options, visit https://groups.google.com/d/optout.
 >>>
 >>> --
 >>>
 >>> ---
 >>> You received this message because you are subscribed to the Google 
 Groups
 >>> "ossec-list" group.
 >>> To unsubscribe from this group and stop receiving emails from it, 
 send an
 >>> email to ossec-list+...@googlegroups.com.
 >>> For more options, visit https://groups.google.com/d/optout.
 >
 > --
 >
 > ---
 > You received this message because you are subscribed to the Google 
 Groups
 > "ossec-list" group.
 > To unsubscribe from this group and stop receiving emails from it, 
 send an
 > email to ossec-list+unsubscr...@googlegroups.com.
 > For more options, visit https://groups.google.com/d/optout.

 --

 ---
 You received this

Re: [ossec-list] Duplicate rule error

2018-04-05 Thread Cooper

Do I need to leave those rule ID's as they were?  I'm guessing overwrite 
means that they overrule the other rule's with the same ID's?

On Thursday, April 5, 2018 at 4:34:03 PM UTC-6, Cooper wrote:
>
> Well that helped with the duplicate rule errors, so thank you for that!  
> Now I am getting an overwrite rule error:
>
> 2018/04/05 17:30:17 ossec-analysisd: Overwrite rule '120028' not found.
> 2018/04/05 17:30:17 ossec-testrule(1220): ERROR: Error loading the rules: 
> 'local_rules.xml'.
>
> Here is the rule it is referencing (there are several after it that I'm 
> sure will error out as well):
>
> 
>   
> ar_log
> Active Response Custom Messages Grouped
> active_response,
>   
>
>
> On Thursday, April 5, 2018 at 2:00:22 PM UTC-6, Cooper wrote:
>>
>> Oh interesting! I assumed it was "unique" to that rule file. I'll try 
>> re-IDing them and see what happens. 
>>
>> On Thu, Apr 5, 2018 at 1:36 PM dan (ddp)  wrote:
>>
>>> On Thu, Apr 5, 2018 at 11:04 AM, Cooper
>>> > Here's the rule from the error:
>>> >
>>> > 
>>> >   
>>> >  esm
>>> > authentication_failed,
>>> > User authentication failure.
>>> >   
>>> > 
>>> >
>>> > If I comment it out, it just says the next rule is a duplicate, and so 
>>> on
>>> > and so on.  None are overwrite rules.
>>> >
>>>
>>> Here's rule 2501 in OSSEC
>>> (
>>> https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130
>>> ):
>>> 
>>>   
>>>   FAILED LOGIN |authentication failure|
>>>   Authentication failed for|invalid password for|
>>>   LOGIN FAILURE|auth failure: |authentication error|
>>>   authinternal failed|Failed to authorize|
>>>   Wrong password given for|login failed|Auth: Login 
>>> incorrect|
>>>   Failed to authenticate user
>>>   authentication_failed,
>>>   User authentication failure.
>>> 
>>>
>>> So it looks like the custom rules implemented in your environment are
>>> using the ID ranges used by the project.
>>> I think rule id 10+ are reserved for custom rules.
>>> Anything below that could be used by the project at any time, possibly
>>> conflicting with custom rules using the wrong ranges.
>>>
>>> > On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote:
>>> >>
>>> >>
>>> >>
>>> >> On Wed, Apr 4, 2018, 8:56 PM Cooper  wrote:
>>> >>>
>>> >>> Sorry Dan, I'm horribly new to managing ossec (yesterday).  How 
>>> would I
>>> >>> know that?
>>> >>
>>> >>
>>> >> Look for 'overwrite="yes"' in the rule.
>>> >>
>>> >>
>>> >>>
>>> >>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote:
>>> 
>>> 
>>> 
>>>  On Wed, Apr 4, 2018, 8:50 PM Cooper  wrote:
>>> >
>>> > When trying to start our new 2.9.3 ossec server, i receive the
>>> > following error:
>>> >
>>> > 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501
>>> > 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the
>>> > rules: 'local_rules.xml'.
>>> >
>>> > However, inside local_rules, there's only one rule with an ID of 
>>> 2501.
>>> > If I comment out that rule, it just says that the next rule is a 
>>> duplicate.
>>> > These rules are being migrated from a working 2.7.2 install.  
>>> Anyone run
>>> > into this before?
>>> 
>>> 
>>> 
>>>  Are these overwrite rules?
>>> 
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> > Groups "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, 
>>> send
>>> > an email to ossec-list+...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>>> >>>
>>> >>> --
>>> >>>
>>> >>> ---
>>> >>> You received this message because you are subscribed to the Google 
>>> Groups
>>> >>> "ossec-list" group.
>>> >>> To unsubscribe from this group and stop receiving emails from it, 
>>> send an
>>> >>> email to ossec-list+...@googlegroups.com.
>>> >>> For more options, visit https://groups.google.com/d/optout.
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google 
>>> Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send 
>>> an
>>> > email to ossec-list+unsubscr...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google 
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to ossec-list+unsubscr...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.

Re: [ossec-list] Duplicate rule error

2018-04-05 Thread Cooper

Well that helped with the duplicate rule errors, so thank you for that!  
Now I am getting an overwrite rule error:

2018/04/05 17:30:17 ossec-analysisd: Overwrite rule '120028' not found.
2018/04/05 17:30:17 ossec-testrule(1220): ERROR: Error loading the rules: 
'local_rules.xml'.

Here is the rule it is referencing (there are several after it that I'm 
sure will error out as well):


  
ar_log
Active Response Custom Messages Grouped
active_response,
  


On Thursday, April 5, 2018 at 2:00:22 PM UTC-6, Cooper wrote:
>
> Oh interesting! I assumed it was "unique" to that rule file. I'll try 
> re-IDing them and see what happens. 
>
> On Thu, Apr 5, 2018 at 1:36 PM dan (ddp)  wrote:
>
>> On Thu, Apr 5, 2018 at 11:04 AM, Cooper
>> > Here's the rule from the error:
>> >
>> > 
>> >   
>> >  esm
>> > authentication_failed,
>> > User authentication failure.
>> >   
>> > 
>> >
>> > If I comment it out, it just says the next rule is a duplicate, and so 
>> on
>> > and so on.  None are overwrite rules.
>> >
>>
>> Here's rule 2501 in OSSEC
>> (
>> https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130
>> ):
>> 
>>   
>>   FAILED LOGIN |authentication failure|
>>   Authentication failed for|invalid password for|
>>   LOGIN FAILURE|auth failure: |authentication error|
>>   authinternal failed|Failed to authorize|
>>   Wrong password given for|login failed|Auth: Login 
>> incorrect|
>>   Failed to authenticate user
>>   authentication_failed,
>>   User authentication failure.
>> 
>>
>> So it looks like the custom rules implemented in your environment are
>> using the ID ranges used by the project.
>> I think rule id 10+ are reserved for custom rules.
>> Anything below that could be used by the project at any time, possibly
>> conflicting with custom rules using the wrong ranges.
>>
>> > On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote:
>> >>
>> >>
>> >>
>> >> On Wed, Apr 4, 2018, 8:56 PM Cooper  wrote:
>> >>>
>> >>> Sorry Dan, I'm horribly new to managing ossec (yesterday).  How would 
>> I
>> >>> know that?
>> >>
>> >>
>> >> Look for 'overwrite="yes"' in the rule.
>> >>
>> >>
>> >>>
>> >>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote:
>> 
>> 
>> 
>>  On Wed, Apr 4, 2018, 8:50 PM Cooper  wrote:
>> >
>> > When trying to start our new 2.9.3 ossec server, i receive the
>> > following error:
>> >
>> > 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501
>> > 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the
>> > rules: 'local_rules.xml'.
>> >
>> > However, inside local_rules, there's only one rule with an ID of 
>> 2501.
>> > If I comment out that rule, it just says that the next rule is a 
>> duplicate.
>> > These rules are being migrated from a working 2.7.2 install.  
>> Anyone run
>> > into this before?
>> 
>> 
>> 
>>  Are these overwrite rules?
>> 
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, 
>> send
>> > an email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>> >>>
>> >>> --
>> >>>
>> >>> ---
>> >>> You received this message because you are subscribed to the Google 
>> Groups
>> >>> "ossec-list" group.
>> >>> To unsubscribe from this group and stop receiving emails from it, 
>> send an
>> >>> email to ossec-list+...@googlegroups.com.
>> >>> For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google 
>> Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an
>> > email to ossec-list+unsubscr...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Duplicate rule error

2018-04-05 Thread Cooper Graf

Oh interesting! I assumed it was "unique" to that rule file. I'll try
re-IDing them and see what happens.

On Thu, Apr 5, 2018 at 1:36 PM dan (ddp)  wrote:

> On Thu, Apr 5, 2018 at 11:04 AM, Cooper  wrote:
> > Here's the rule from the error:
> >
> > 
> >   
> >  esm
> > authentication_failed,
> > User authentication failure.
> >   
> > 
> >
> > If I comment it out, it just says the next rule is a duplicate, and so on
> > and so on.  None are overwrite rules.
> >
>
> Here's rule 2501 in OSSEC
> (
> https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130
> ):
> 
>   
>   FAILED LOGIN |authentication failure|
>   Authentication failed for|invalid password for|
>   LOGIN FAILURE|auth failure: |authentication error|
>   authinternal failed|Failed to authorize|
>   Wrong password given for|login failed|Auth: Login
> incorrect|
>   Failed to authenticate user
>   authentication_failed,
>   User authentication failure.
> 
>
> So it looks like the custom rules implemented in your environment are
> using the ID ranges used by the project.
> I think rule id 10+ are reserved for custom rules.
> Anything below that could be used by the project at any time, possibly
> conflicting with custom rules using the wrong ranges.
>
> > On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote:
> >>
> >>
> >>
> >> On Wed, Apr 4, 2018, 8:56 PM Cooper  wrote:
> >>>
> >>> Sorry Dan, I'm horribly new to managing ossec (yesterday).  How would I
> >>> know that?
> >>
> >>
> >> Look for 'overwrite="yes"' in the rule.
> >>
> >>
> >>>
> >>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote:
> 
> 
> 
>  On Wed, Apr 4, 2018, 8:50 PM Cooper  wrote:
> >
> > When trying to start our new 2.9.3 ossec server, i receive the
> > following error:
> >
> > 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501
> > 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the
> > rules: 'local_rules.xml'.
> >
> > However, inside local_rules, there's only one rule with an ID of
> 2501.
> > If I comment out that rule, it just says that the next rule is a
> duplicate.
> > These rules are being migrated from a working 2.7.2 install.  Anyone
> run
> > into this before?
> 
> 
> 
>  Are these overwrite rules?
> 
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> > Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to ossec-list+...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
> >>>
> >>> --
> >>>
> >>> ---
> >>> You received this message because you are subscribed to the Google
> Groups
> >>> "ossec-list" group.
> >>> To unsubscribe from this group and stop receiving emails from it, send
> an
> >>> email to ossec-list+...@googlegroups.com.
> >>> For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Duplicate rule error

2018-04-05 Thread dan (ddp)

On Thu, Apr 5, 2018 at 11:04 AM, Cooper  wrote:
> Here's the rule from the error:
>
> 
>   
>  esm
> authentication_failed,
> User authentication failure.
>   
> 
>
> If I comment it out, it just says the next rule is a duplicate, and so on
> and so on.  None are overwrite rules.
>

Here's rule 2501 in OSSEC
(https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130):

  
  FAILED LOGIN |authentication failure|
  Authentication failed for|invalid password for|
  LOGIN FAILURE|auth failure: |authentication error|
  authinternal failed|Failed to authorize|
  Wrong password given for|login failed|Auth: Login incorrect|
  Failed to authenticate user
  authentication_failed,
  User authentication failure.


So it looks like the custom rules implemented in your environment are
using the ID ranges used by the project.
I think rule id 10+ are reserved for custom rules.
Anything below that could be used by the project at any time, possibly
conflicting with custom rules using the wrong ranges.

> On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote:
>>
>>
>>
>> On Wed, Apr 4, 2018, 8:56 PM Cooper  wrote:
>>>
>>> Sorry Dan, I'm horribly new to managing ossec (yesterday).  How would I
>>> know that?
>>
>>
>> Look for 'overwrite="yes"' in the rule.
>>
>>
>>>
>>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote:



 On Wed, Apr 4, 2018, 8:50 PM Cooper  wrote:
>
> When trying to start our new 2.9.3 ossec server, i receive the
> following error:
>
> 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501
> 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the
> rules: 'local_rules.xml'.
>
> However, inside local_rules, there's only one rule with an ID of 2501.
> If I comment out that rule, it just says that the next rule is a 
> duplicate.
> These rules are being migrated from a working 2.7.2 install.  Anyone run
> into this before?



 Are these overwrite rules?

> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Duplicate rule error

2018-04-05 Thread Cooper

Here's the rule from the error:


  
 esm
authentication_failed,
User authentication failure.
  


If I comment it out, it just says the next rule is a duplicate, and so on 
and so on.  None are overwrite rules.

On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote:
>
>
>
> On Wed, Apr 4, 2018, 8:56 PM Cooper  
> wrote:
>
>> Sorry Dan, I'm horribly new to managing ossec (yesterday).  How would I 
>> know that?
>>
>
> Look for 'overwrite="yes"' in the rule.
>
>
>
>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote:
>>>
>>>
>>>
>>> On Wed, Apr 4, 2018, 8:50 PM Cooper  wrote:
>>>
 When trying to start our new 2.9.3 ossec server, i receive the 
 following error:

 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501
 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the 
 rules: 'local_rules.xml'.

 However, inside local_rules, there's only one rule with an ID of 2501.  
 If I comment out that rule, it just says that the next rule is a 
 duplicate.  These rules are being migrated from a working 2.7.2 install.  
 Anyone run into this before?

>>>
>>>
>>> Are these overwrite rules?
>>>
>>> -- 

 --- 
 You received this message because you are subscribed to the Google 
 Groups "ossec-list" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

>>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Duplicate rule error

2018-04-05 Thread dan (ddp)

On Wed, Apr 4, 2018, 8:56 PM Cooper  wrote:

> Sorry Dan, I'm horribly new to managing ossec (yesterday).  How would I
> know that?
>

Look for 'overwrite="yes"' in the rule.



> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote:
>>
>>
>>
>> On Wed, Apr 4, 2018, 8:50 PM Cooper  wrote:
>>
>>> When trying to start our new 2.9.3 ossec server, i receive the following
>>> error:
>>>
>>> 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501
>>> 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the
>>> rules: 'local_rules.xml'.
>>>
>>> However, inside local_rules, there's only one rule with an ID of 2501.
>>> If I comment out that rule, it just says that the next rule is a
>>> duplicate.  These rules are being migrated from a working 2.7.2 install.
>>> Anyone run into this before?
>>>
>>
>>
>> Are these overwrite rules?
>>
>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Duplicate rule error

Re: [ossec-list] Duplicate rule error

Re: [ossec-list] Duplicate rule error

Re: [ossec-list] Duplicate rule error

Re: [ossec-list] Duplicate rule error

Re: [ossec-list] Duplicate rule error

Re: [ossec-list] Duplicate rule error

Re: [ossec-list] Duplicate rule error

8 matches

Site Navigation

Mail list logo

Footer information