Re: [ossec-list] Re: Modify rules
On Thu, Mar 23, 2017 at 12:29 PM, The Dudewrote: > I went with the first option. Works as expected but now I need to adjust the > number of of fails before the ip is blocked.. Where do I do that? > Try using 5720 for the rule to trigger active response. It looks for 8+ instances by default. > > On Monday, March 20, 2017 at 2:56:29 PM UTC-4, The Dude wrote: >> >> I am new to ossec and I am trying to figure out what is the best way to >> change a rule. In the ossec.conf it says this >> >>> >>> >>> >>> host-deny >>> local >>> 6 >>> 600 >>> >> >> >> >> >> I am assuming the level it is referring to is the level set in the >> rule.xml So the sshd_rules.xml has this line. >>> >>> >>> >>> 5700 >>> ^Failed|^error: PAM: Authentication >>> SSHD authentication failed. >>> authentication_failed, >>> >>> >> >> >> >> When testing failed ssh logins I see the alert in the alert.log for the >> rule above. How should I go about changing the level to 6 so it will get >> blocked? I tried editing the sshd_rules.xml but get the read only warning. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Modify rules
I went with the first option. Works as expected but now I need to adjust the number of of fails before the ip is blocked.. Where do I do that? On Monday, March 20, 2017 at 2:56:29 PM UTC-4, The Dude wrote: > > I am new to ossec and I am trying to figure out what is the best way to > change a rule. In the ossec.conf it says this > > >> >> >> host-deny >> local >> 6 >> 600 >> > > > > > I am assuming the level it is referring to is the level set in the > rule.xml So the sshd_rules.xml has this line. > >> >> >> 5700 >> ^Failed|^error: PAM: Authentication >> SSHD authentication failed. >> authentication_failed, > > > > > > When testing failed ssh logins I see the alert in the alert.log for the > rule above. How should I go about changing the level to 6 so it will get > blocked? I tried editing the sshd_rules.xml but get the read only warning. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Modify rules
One other bit of information - the "read only" error has nothing to do with OSSEC itself. It is simply a warning based on Linux saying that the file is marked without the "W" attribute. You can resolve this from "vi" by simply using a "w" upon exit. For example, after you edit the sshd_rules.xml, enter :wq! That will over-write the file. However, any changes to the built-in files will be overwritten next time you upgrade, so Victor's comment about using local_rules.xml is actually more correct. Kat On Monday, March 20, 2017 at 1:56:29 PM UTC-5, The Dude wrote: > > I am new to ossec and I am trying to figure out what is the best way to > change a rule. In the ossec.conf it says this > > >> >> >> host-deny >> local >> 6 >> 600 >> > > > > > I am assuming the level it is referring to is the level set in the > rule.xml So the sshd_rules.xml has this line. > >> >> >> 5700 >> ^Failed|^error: PAM: Authentication >> SSHD authentication failed. >> authentication_failed, > > > > > > When testing failed ssh logins I see the alert in the alert.log for the > rule above. How should I go about changing the level to 6 so it will get > blocked? I tried editing the sshd_rules.xml but get the read only warning. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: Modify rules
Hi, You have some options to achieve this: One of them is to increase the rule level. Changing the value at the original rule would work but I'd recommend you to create a new rule (at file *local_rules.xml*), adding attribute 'overwrite="yes" ' and changing the rule level: 5700 ^Failed|^error: PAM: Authentication < description>SSHD authentication failed. authentication_failed, Another option would be enabling Active response for rule 5716 in particular, using option "rules_id" inside group: host-deny local 6 5711 600 Hope it help. Best regards. On Monday, March 20, 2017 at 11:56:29 AM UTC-7, The Dude wrote: > > I am new to ossec and I am trying to figure out what is the best way to > change a rule. In the ossec.conf it says this > > >> >> >> host-deny >> local >> 6 >> 600 >> > > > > > I am assuming the level it is referring to is the level set in the > rule.xml So the sshd_rules.xml has this line. > >> >> >> 5700 >> ^Failed|^error: PAM: Authentication >> SSHD authentication failed. >> authentication_failed, > > > > > > When testing failed ssh logins I see the alert in the alert.log for the > rule above. How should I go about changing the level to 6 so it will get > blocked? I tried editing the sshd_rules.xml but get the read only warning. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.