Hey, Thanks for your suggestions. Now the ossec is generating logs and not giving errors after restarting it couple of times. Now i want to implement the rule,that is want to perform an attack according to that rule. I have tried to login from PUTTY in Windows 3 times within 5 mins, so that it will show that "attack from same source IP".But it is not working. What else can i do? or how is it going to work? Any other method to get alert after adding this rule. Please suggest me.
On Friday, May 6, 2016 at 3:15:58 PM UTC+5:30, Jesus Linares wrote: > > Hi Jiri, > > also you can run the command "/var/ossec/bin/agent_control -lc" to get the > connected agents. Keep in mind that in order to know if an agent is > connected, disconnected or never connected OSSEC reads the modification > date of the files in /var/ossec/queue/agent-info/*: > > - if there is no file for the agent the status is never connected > - if the modification time of the file is less than a defined tiemout, > the status is actived. If it is greater then the status is disconnected. > > The timeout is 3*NOTIFY_TIME+30, NOTIFY_TIME by default is 600 seconds. > > Regarding the rules to detect DDOS attacks, you could create something > like this: > > local_rules.xml: > <group name="attack,"> > > > <rule id="200000" level="15" timeframe="300" frequency="3"> > <if_matched_group>attacks|attack|automatic_attack > </if_matched_group> > <same_source_ip /> > <description>Attacks from same source IP</description> > </rule> > > > </group> > > You are saying: if one of these groups (attack, attacks or > automatic_attack) have matched in the last 300 seconds more than 5 times > (frecuency + 2) and the event comes from the same ip, it could be a DDOS > attack. You can play with the variables (tiemframe and frecuency) or create > new rules with a specific group and append it to the rule. > > Regards. > Jesus Linares. > > > > On Thursday, May 5, 2016 at 8:44:50 PM UTC+2, dan (ddpbsd) wrote: >> >> On Thu, May 5, 2016 at 2:12 PM, Jiri <necrosi...@gmail.com> wrote: >> > Hi, >> > >> > I just finished installing ossec on ubuntu as a server and windows >> agent on >> > another computer. How do i test if my agent is successfully connected >> to me? >> > Also, can someone help me on creating rules to detect an a ddos attack >> or >> > any attack on my server? >> > >> >> On the server you can run `/var/ossec/bin/list_agents -c` to see the >> connected agents. >> Check out the rules that already exist in /var/ossec/rules. They >> should be useful as a template. >> If you still need help, please ask. >> >> > Thanks, >> > Regards. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
