Nice! Thank´s
2009/2/24 Reggie Griffin <[email protected]>: > > Aurora, > > That is exactly what I was thinking. Good to know it's possible. > > -Reggie > > Aurora Mazzone wrote: >> Hi Martin, Reggie, >> >> Reggie Griffin ha scritto: >> >>> It's not possible from what I know. The hostname is picked up when >>> parsing the log file, at least from what >>> the online docs say. >>> I was thinking outloud.:-p >>> >>> -Reggie >>> >>> Martin Tartarelli wrote: >>> >>>> Reggie, >>>> >>>> 2009/2/23 Reggie Griffin <[email protected]>: >>>> >>>> >>>>> Martin, >>>>> >>>>> I see. In that case, it would be nice to insert a variable in the >>>>> <hostname></hostname> tag. Then >>>>> you could define groups of systems into one nice entry. >>>>> >>>>> >>>>> >>>> =) Interesting.......How can i do that? >>>> >>>> >> >> I know that in the syslog_rules.xml rules' file has been used the "var" >> tag (the variable name is expressed in the "name" attribute) used to >> group many words that could be symptom of a problem (used in a catchall >> rule - 1002): >> >> [syslog_rules.xml] >> >> <var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal >> |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var> >> >> <rule id="1002" level="2"> >> <match>$BAD_WORDS</match> >> <options>alert_by_email</options> >> <description>Unknown problem somewhere in the system.</description> >> </rule> >> >> As you can see there are at least two possible ways: >> >> - with the two hostnames in "or" using the pipe (inside the rule) >> >> [local_rules.xml] >> >> <rule id="100999" level="10"> >> <if_sid>5710</if_sid> >> <hostname>pippo|pluto</hostname> >> <description>test</description> >> </rule> >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Feb 24 10:09:43 aureliano sshd[18388]: Failed >> password for invalid user piopio from 127.0.0.1 port 43765 ssh2' >> hostname: 'aureliano' >> program_name: 'sshd' >> log: 'Failed password for invalid user piopio from 127.0.0.1 >> port 43765 ssh2' >> >> **Phase 2: Completed decoding. >> decoder: 'sshd' >> srcip: '127.0.0.1' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '5710' >> Level: '5' >> Description: 'Attempt to login using a non-existent user' >> **Alert to be generated. >> >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Feb 24 10:09:43 pluto sshd[18388]: Failed password >> for invalid user piopio from 127.0.0.1 port 43765 ssh2' >> hostname: 'pluto' >> program_name: 'sshd' >> log: 'Failed password for invalid user piopio from 127.0.0.1 >> port 43765 ssh2' >> >> **Phase 2: Completed decoding. >> decoder: 'sshd' >> srcip: '127.0.0.1' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '100999' >> Level: '10' >> Description: 'test' >> **Alert to be generated. >> >> >> >> - with the variable HOSTS1 defined and used in the "hostname" tag >> >> >> [local_rules.xml] >> >> <var name="HOSTS1">pippo|pluto</var> >> [...] >> <rule id="100999" level="10"> >> <if_sid>5710</if_sid> >> <hostname>$HOSTS1</hostname> >> <description>test</description> >> </rule> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Feb 24 10:09:43 aureliano sshd[18388]: Failed >> password for invalid user piopio from 127.0.0.1 port 43765 ssh2' >> hostname: 'aureliano' >> program_name: 'sshd' >> log: 'Failed password for invalid user piopio from 127.0.0.1 >> port 43765 ssh2' >> >> **Phase 2: Completed decoding. >> decoder: 'sshd' >> srcip: '127.0.0.1' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '5710' >> Level: '5' >> Description: 'Attempt to login using a non-existent user' >> **Alert to be generated. >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Feb 24 10:09:43 pluto sshd[18388]: Failed password >> for invalid user piopio from 127.0.0.1 port 43765 ssh2' >> hostname: 'pluto' >> program_name: 'sshd' >> log: 'Failed password for invalid user piopio from 127.0.0.1 >> port 43765 ssh2' >> >> **Phase 2: Completed decoding. >> decoder: 'sshd' >> srcip: '127.0.0.1' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '100999' >> Level: '10' >> Description: 'test' >> **Alert to be generated. >> >> Is it what you needed? >> >> Aurora >> >> >>>> >>>> >>>>> -Reggie >>>>> >>>>> Martin Tartarelli wrote: >>>>> >>>>> >>>>>> Reggie, >>>>>> >>>>>> 2009/2/20 Reggie Griffin <[email protected]>: >>>>>> >>>>>> >>>>>> >>>>>>> Martin, >>>>>>> >>>>>>> I use the <hostname></hostname> parameter to accomplish this within my >>>>>>> local_rules.xml file. >>>>>>> Default location is /var/ossec/rules/local_rules.xml. >>>>>>> >>>>>>> Here is an example: >>>>>>> >>>>>>> <rule id="100019" level="0"> >>>>>>> <if_sid>30112</if_sid> >>>>>>> <hostname>server2</hostname> >>>>>>> <description>Rule that ignores noisy errors from >>>>>>> server2</description> >>>>>>> </rule> >>>>>>> >>>>>>> <rule id="100020" level="3"> >>>>>>> <if_sid>30112</if_sid> >>>>>>> <hostname>server1</hostname> >>>>>>> <description>Rule that limits the alert level for >>>>>>> server1</description> >>>>>>> </rule> >>>>>>> >>>>>>> If I am understanding you correctly. I believe you can have multiple >>>>>>> <hostname></hostname> entries within the same rule id. >>>>>>> >>>>>>> -Reggie >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> Thank´s for your answer it´s a good idea, but the problem with that is >>>>>> when you have more than 500 servers, It´s very dificult to create a >>>>>> rule by host. In my case i like to discriminate server vs risk on >>>>>> ossec with alert level. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> Martin Tartarelli wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Any idea? >>>>>>>> >>>>>>>> >>>>>>>> ---------- Forwarded message ---------- >>>>>>>> From: Martin Tartarelli <[email protected]> >>>>>>>> Date: 2009/2/13 >>>>>>>> Subject: OSSEC with one or more Instance >>>>>>>> To: [email protected] >>>>>>>> >>>>>>>> >>>>>>>> List, I need your helps... >>>>>>>> >>>>>>>> OSSEC has the ability to discriminate critical alerts using the Alert >>>>>>>> Level. Now, what happens when I use a second critical factor in terms >>>>>>>> of servers? >>>>>>>> For example... >>>>>>>> >>>>>>>> Critical H >>>>>>>> SRV-PROD1 >>>>>>>> SRV-PROD2 >>>>>>>> roule id="1852" with alert level="8" >>>>>>>> >>>>>>>> Critical M >>>>>>>> SRV-DESA1 >>>>>>>> SRV-DESA2 >>>>>>>> roule id="1852" with alert level="7" >>>>>>>> >>>>>>>> Critical L >>>>>>>> SRV-RECO1 >>>>>>>> SRV-TEMP >>>>>>>> roule id="1852" with alert level="5" >>>>>>>> >>>>>>>> >>>>>>>> What if I want to take the spoils but with a warning alert level >>>>>>>> different? (because a server is more critical than the other). >>>>>>>> Can create multiple Instance on the same server? in practice, how can >>>>>>>> one discriminate xml (with rules) for different servers? Can i do >>>>>>>> that? (maybe with more instance on the ossec server) >>>>>>>> >>>>>>>> Thank´s >>>>>>>> >>>>>>>> -- >>>>>>>> Martin Tartarelli >>>>>>>> Linux User #476492 >>>>>>>> -- >>>>>>>> >>>>>>>> >>>>>>>> > -- Martin Tartarelli Linux User #476492 http://owasp.org/index.php/Argentina --
