Re: [ossec-list] Re: Modify rules

[dan (ddp)]

On Thu, Mar 23, 2017 at 12:29 PM, The Dude  wrote:
> I went with the first option. Works as expected but now I need to adjust the
> number of of fails before the ip is blocked.. Where do I do that?
>

Try using 5720 for the rule to trigger active response. It looks for
8+ instances by default.

>
> On Monday, March 20, 2017 at 2:56:29 PM UTC-4, The Dude wrote:
>>
>> I am new to ossec and I am trying to figure out what is the best way to
>> change a rule.  In the ossec.conf it says this
>>
>>> 
>>>   
>>> 
>>> host-deny
>>> local
>>> 6
>>> 600
>>>   
>>
>>
>>
>>
>> I am assuming the level it is referring to is the level set in the
>> rule.xml So the sshd_rules.xml has this line.
>>>
>>>
>>> 
>>> 5700
>>> ^Failed|^error: PAM: Authentication
>>> SSHD authentication failed.
>>> authentication_failed,
>>>
>>>   
>>
>>
>>
>> When testing failed ssh logins I see the alert in the alert.log for the
>> rule above. How should I go about changing the level to 6 so it will get
>> blocked? I tried editing the sshd_rules.xml but get the read only warning.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Modify rules

[The Dude]

I went with the first option. Works as expected but now I need to adjust 
the number of of fails before the ip is blocked.. Where do I do that?

On Monday, March 20, 2017 at 2:56:29 PM UTC-4, The Dude wrote:
>
> I am new to ossec and I am trying to figure out what is the best way to 
> change a rule.  In the ossec.conf it says this
>
> 
>>   
>> 
>> host-deny
>> local
>> 6
>> 600
>>   
>
>
>
>
> I am assuming the level it is referring to is the level set in the 
> rule.xml So the sshd_rules.xml has this line.
>
>>
>> 
>> 5700
>> ^Failed|^error: PAM: Authentication
>> SSHD authentication failed.
>> authentication_failed,
>
>   
>
>  
>
> When testing failed ssh logins I see the alert in the alert.log for the 
> rule above. How should I go about changing the level to 6 so it will get 
> blocked? I tried editing the sshd_rules.xml but get the read only warning. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Modify rules

[Kat]

One other bit of information - the "read only" error has nothing to do with 
OSSEC itself. It is simply a warning based on Linux saying that the file is 
marked without the "W" attribute. You can resolve this from "vi" by simply 
using a "w" upon exit. For example, after you edit the sshd_rules.xml, 
enter 

 :wq!

That will over-write the file. However, any changes to the built-in files 
will be overwritten next time you upgrade, so Victor's comment about using 
local_rules.xml is actually more correct.

Kat

On Monday, March 20, 2017 at 1:56:29 PM UTC-5, The Dude wrote:
>
> I am new to ossec and I am trying to figure out what is the best way to 
> change a rule.  In the ossec.conf it says this
>
> 
>>   
>> 
>> host-deny
>> local
>> 6
>> 600
>>   
>
>
>
>
> I am assuming the level it is referring to is the level set in the 
> rule.xml So the sshd_rules.xml has this line.
>
>>
>> 
>> 5700
>> ^Failed|^error: PAM: Authentication
>> SSHD authentication failed.
>> authentication_failed,
>
>   
>
>  
>
> When testing failed ssh logins I see the alert in the alert.log for the 
> rule above. How should I go about changing the level to 6 so it will get 
> blocked? I tried editing the sshd_rules.xml but get the read only warning. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Modify rules

[Victor Fernandez]

Hi,

You have some options to achieve this:

One of them is to increase the rule level. Changing the value at the 
original rule would work but I'd recommend you to create a new rule (at 
file *local_rules.xml*), adding attribute 'overwrite="yes" ' and changing 
the rule level:


5700 ^Failed|^error: PAM: Authentication <
description>SSHD authentication failed. 
authentication_failed, 


Another option would be enabling Active response for rule 5716 in 
particular, using option "rules_id" inside  group:

  host-deny local 6 5711 600 


Hope it help.
Best regards.




On Monday, March 20, 2017 at 11:56:29 AM UTC-7, The Dude wrote:
>
> I am new to ossec and I am trying to figure out what is the best way to 
> change a rule.  In the ossec.conf it says this
>
> 
>>   
>> 
>> host-deny
>> local
>> 6
>> 600
>>   
>
>
>
>
> I am assuming the level it is referring to is the level set in the 
> rule.xml So the sshd_rules.xml has this line.
>
>>
>> 
>> 5700
>> ^Failed|^error: PAM: Authentication
>> SSHD authentication failed.
>> authentication_failed,
>
>   
>
>  
>
> When testing failed ssh logins I see the alert in the alert.log for the 
> rule above. How should I go about changing the level to 6 so it will get 
> blocked? I tried editing the sshd_rules.xml but get the read only warning. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.