Hi Martin, Reggie,
Reggie Griffin ha scritto:
> It's not possible from what I know. The hostname is picked up when
> parsing the log file, at least from what
> the online docs say.
> I was thinking outloud.:-p
>
> -Reggie
>
> Martin Tartarelli wrote:
>> Reggie,
>>
>> 2009/2/23 Reggie Griffin <[email protected]>:
>>
>>> Martin,
>>>
>>> I see. In that case, it would be nice to insert a variable in the
>>> <hostname></hostname> tag. Then
>>> you could define groups of systems into one nice entry.
>>>
>>>
>> =) Interesting.......How can i do that?
>>
I know that in the syslog_rules.xml rules' file has been used the "var"
tag (the variable name is expressed in the "name" attribute) used to
group many words that could be symptom of a problem (used in a catchall
rule - 1002):
[syslog_rules.xml]
<var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal
|denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
<rule id="1002" level="2">
<match>$BAD_WORDS</match>
<options>alert_by_email</options>
<description>Unknown problem somewhere in the system.</description>
</rule>
As you can see there are at least two possible ways:
- with the two hostnames in "or" using the pipe (inside the rule)
[local_rules.xml]
<rule id="100999" level="10">
<if_sid>5710</if_sid>
<hostname>pippo|pluto</hostname>
<description>test</description>
</rule>
**Phase 1: Completed pre-decoding.
full event: 'Feb 24 10:09:43 aureliano sshd[18388]: Failed
password for invalid user piopio from 127.0.0.1 port 43765 ssh2'
hostname: 'aureliano'
program_name: 'sshd'
log: 'Failed password for invalid user piopio from 127.0.0.1
port 43765 ssh2'
**Phase 2: Completed decoding.
decoder: 'sshd'
srcip: '127.0.0.1'
**Phase 3: Completed filtering (rules).
Rule id: '5710'
Level: '5'
Description: 'Attempt to login using a non-existent user'
**Alert to be generated.
**Phase 1: Completed pre-decoding.
full event: 'Feb 24 10:09:43 pluto sshd[18388]: Failed password
for invalid user piopio from 127.0.0.1 port 43765 ssh2'
hostname: 'pluto'
program_name: 'sshd'
log: 'Failed password for invalid user piopio from 127.0.0.1
port 43765 ssh2'
**Phase 2: Completed decoding.
decoder: 'sshd'
srcip: '127.0.0.1'
**Phase 3: Completed filtering (rules).
Rule id: '100999'
Level: '10'
Description: 'test'
**Alert to be generated.
- with the variable HOSTS1 defined and used in the "hostname" tag
[local_rules.xml]
<var name="HOSTS1">pippo|pluto</var>
[...]
<rule id="100999" level="10">
<if_sid>5710</if_sid>
<hostname>$HOSTS1</hostname>
<description>test</description>
</rule>
**Phase 1: Completed pre-decoding.
full event: 'Feb 24 10:09:43 aureliano sshd[18388]: Failed
password for invalid user piopio from 127.0.0.1 port 43765 ssh2'
hostname: 'aureliano'
program_name: 'sshd'
log: 'Failed password for invalid user piopio from 127.0.0.1
port 43765 ssh2'
**Phase 2: Completed decoding.
decoder: 'sshd'
srcip: '127.0.0.1'
**Phase 3: Completed filtering (rules).
Rule id: '5710'
Level: '5'
Description: 'Attempt to login using a non-existent user'
**Alert to be generated.
**Phase 1: Completed pre-decoding.
full event: 'Feb 24 10:09:43 pluto sshd[18388]: Failed password
for invalid user piopio from 127.0.0.1 port 43765 ssh2'
hostname: 'pluto'
program_name: 'sshd'
log: 'Failed password for invalid user piopio from 127.0.0.1
port 43765 ssh2'
**Phase 2: Completed decoding.
decoder: 'sshd'
srcip: '127.0.0.1'
**Phase 3: Completed filtering (rules).
Rule id: '100999'
Level: '10'
Description: 'test'
**Alert to be generated.
Is it what you needed?
Aurora
>>
>>> -Reggie
>>>
>>> Martin Tartarelli wrote:
>>>
>>>> Reggie,
>>>>
>>>> 2009/2/20 Reggie Griffin <[email protected]>:
>>>>
>>>>
>>>>> Martin,
>>>>>
>>>>> I use the <hostname></hostname> parameter to accomplish this within my
>>>>> local_rules.xml file.
>>>>> Default location is /var/ossec/rules/local_rules.xml.
>>>>>
>>>>> Here is an example:
>>>>>
>>>>> <rule id="100019" level="0">
>>>>> <if_sid>30112</if_sid>
>>>>> <hostname>server2</hostname>
>>>>> <description>Rule that ignores noisy errors from server2</description>
>>>>> </rule>
>>>>>
>>>>> <rule id="100020" level="3">
>>>>> <if_sid>30112</if_sid>
>>>>> <hostname>server1</hostname>
>>>>> <description>Rule that limits the alert level for server1</description>
>>>>> </rule>
>>>>>
>>>>> If I am understanding you correctly. I believe you can have multiple
>>>>> <hostname></hostname> entries within the same rule id.
>>>>>
>>>>> -Reggie
>>>>>
>>>>>
>>>>>
>>>> Thank´s for your answer it´s a good idea, but the problem with that is
>>>> when you have more than 500 servers, It´s very dificult to create a
>>>> rule by host. In my case i like to discriminate server vs risk on
>>>> ossec with alert level.
>>>>
>>>>
>>>>
>>>>> Martin Tartarelli wrote:
>>>>>
>>>>>
>>>>>> Any idea?
>>>>>>
>>>>>>
>>>>>> ---------- Forwarded message ----------
>>>>>> From: Martin Tartarelli <[email protected]>
>>>>>> Date: 2009/2/13
>>>>>> Subject: OSSEC with one or more Instance
>>>>>> To: [email protected]
>>>>>>
>>>>>>
>>>>>> List, I need your helps...
>>>>>>
>>>>>> OSSEC has the ability to discriminate critical alerts using the Alert
>>>>>> Level. Now, what happens when I use a second critical factor in terms
>>>>>> of servers?
>>>>>> For example...
>>>>>>
>>>>>> Critical H
>>>>>> SRV-PROD1
>>>>>> SRV-PROD2
>>>>>> roule id="1852" with alert level="8"
>>>>>>
>>>>>> Critical M
>>>>>> SRV-DESA1
>>>>>> SRV-DESA2
>>>>>> roule id="1852" with alert level="7"
>>>>>>
>>>>>> Critical L
>>>>>> SRV-RECO1
>>>>>> SRV-TEMP
>>>>>> roule id="1852" with alert level="5"
>>>>>>
>>>>>>
>>>>>> What if I want to take the spoils but with a warning alert level
>>>>>> different? (because a server is more critical than the other).
>>>>>> Can create multiple Instance on the same server? in practice, how can
>>>>>> one discriminate xml (with rules) for different servers? Can i do
>>>>>> that? (maybe with more instance on the ossec server)
>>>>>>
>>>>>> Thank´s
>>>>>>
>>>>>> --
>>>>>> Martin Tartarelli
>>>>>> Linux User #476492
>>>>>> --
>>>>>>
>>>>>>
