[ossec-list] Re: Overriding rules

Fri, 17 Nov 2006 19:43:24 -0800 


Hi Charles,

Overriding the rules is the right way of doing it, however you can not use the
same rule ID for it. Instead, try the following:

<group name="apache,">
 <rule id="100300" level="5">
   <if_sid>30109</if_sid>
   <description>Attempt to login using a non-existent user.</
description>
   <group>invalid_login,</group>
 </rule>

 <rule id="100301" level="9" frequency="5" timeframe="120">
              <if_matched_sid>100300</if_matched_sid>
              <regex>user \S+ not found</regex>
              <description>Attempt to login using a non-existent
user.</description>
              <group>invalid_login,</group>
 </rule>
</group> <!-- ERROR_LOG,APACHE -->


The first rule "100300", will be fired in place of the 30109 ..

Let us know if it works or not.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 11/17/06, kef_list <[EMAIL PROTECTED]> wrote:


Hi guys,

I need your help to override one of the built in rules (I prefer to
override than to edit the built-in rules to make upgrading easier).

There is an Apache rule that I find way too extreme:

<rule id="30109" level="9">
   <if_sid>30101</if_sid>
   <regex>user \S+ not found</regex>
   <description>Attempt to login using a non-existent user.</
description>
   <group>invalid_login,</group>
</rule>

It causes an active-reponse the FIRST time a user makes a mistake
with his username. I want to change it to 5 tries.

So I added to my "local_rules.xml" file:

<group name="apache,">
   <rule id="30109" level="5">
     <if_sid>30101</if_sid>
     <regex>user \S+ not found</regex>
     <description>Attempt to login using a non-existent user.</
description>
     <group>invalid_login,</group>
   </rule>

   <rule id="100301" level="9" frequency="5" timeframe="120">
                <if_matched_sid>30109</if_matched_sid>
                <regex>user \S+ not found</regex>
                <description>Attempt to login using a non-existent 
user.</description>
                <group>invalid_login,</group>
   </rule>
</group> <!-- ERROR_LOG,APACHE -->



But this does not work. The built-in apache rule get called instead
of mi "override". So far I have only been able to make it work by
deleting the rule from the apache.xml file.

Does anyone know I can accomplish this without editing any of the
built-in files?

Thanks,
Charles



____________________________________________________
Institut Balear de Comunicacions, S.L.
Gremio Tejedores 22, 1
07009 Palma de Mallorca, Spain
Tel:  +34 971.45.90.99  | Mobile: +34 607.87.12.77
Fax: +34 971.43.08.18  | E-mail: [EMAIL PROTECTED]
URL: http://www.ibacom.es/
____________________________________________________

Reply via email to