Re: [ossec-list] Re: Testing OSSEC

2017-08-28 Thread dan (ddp)
On Mon, Aug 28, 2017 at 12:17 AM, Ritu Soni wrote: >>> hey, > > I have added the rule in local_rules.xml file in way as in the > attached image.. > After adding the rule, i have restarted OSSEC services. But I get > the following errors: >

Re: [ossec-list] Re: Testing OSSEC

2017-08-24 Thread dan (ddp)
On Aug 24, 2017 12:56 PM, "Ritu Soni" wrote: Ok, thanks. have you added the rule in local_rules.xml file? or any other xml file? I added it to my local_rules.xml file, outside of the tag near the bottom. On Thursday, August 24, 2017 at 6:14:56 PM UTC+5:30, dan

Re: [ossec-list] Re: Testing OSSEC

2017-08-24 Thread Ritu Soni
Hey, > > When I add the same rule in local_rules.xml file, I get the following errors: *2017/08/24 22:54:00 ossec-config(1501): ERROR: Invalid SMTP Server: alt1.gmail-smtp-in.l.google.com.* *2017/08/24 22:54:00 ossec-config(1202): ERROR: Configuration error at '/var/ossec/etc/ossec.conf'.

Re: [ossec-list] Re: Testing OSSEC

2017-08-24 Thread Ritu Soni
Ok, thanks. have you added the rule in local_rules.xml file? or any other xml file? On Thursday, August 24, 2017 at 6:14:56 PM UTC+5:30, dan (ddpbsd) wrote: > > On Thu, Aug 24, 2017 at 8:35 AM, dan (ddp) > wrote: > > > > > > On Aug 24, 2017 4:40 AM, "Ritu Soni"

Re: [ossec-list] Re: Testing OSSEC

2017-08-24 Thread dan (ddp)
On Aug 24, 2017 4:40 AM, "Ritu Soni" wrote: Hello, I simply want to test the rule for DDOS Attack,which is discussed previously: local_rules.xml: attacks|attack|automatic_attack Attacks from same source IP But this is not working.

Re: [ossec-list] Re: Testing OSSEC

2017-08-23 Thread dan (ddp)
On Aug 23, 2017 6:18 AM, "Ritu Soni" wrote: Hello, My work requirement is that OSSEC should generate an alert " Attack Detected " ,when the request from same ip address is received by the server for 3 or more times within 300 seconds. I have done changes in

Re: [ossec-list] Re: Testing OSSEC

2017-08-23 Thread Ritu Soni
Hello, My work requirement is that OSSEC should generate an alert " Attack Detected " ,when the request from same ip address is received by the server for 3 or more times within 300 seconds. I have done changes in syslog_rules.xml file: ** *attacks|attack|automatic_attack* *