Hi,
I've been spending a little time trying to understand how OSSEC
interprets the various rules.xml files. I've read several excellent
explanations on how to do specific things but I still have some
general questions about rules brought on by some behaviors we have
observed.
First the rules in question: 18105, 18106 and 18130 are a good sample
that demonstrates the issue.
<rule id="18106" level="5">
<if_sid>18105</if_sid>
<id>^529|^530|^531|^532|^533|^534|^535|^536|^537|^539|^4625</id>
<description>Windows Logon Failure.</description>
<group>win_authentication_failed,</group>
</rule>
18106 has a level of 5 so one would expect that it would appear in
alerts.log if 18105 is successful AND 529 is successful. In our
particular setup we have 18105 level set to 0 so no message from that
rule should appear in alerts.log. Next lets look at the particular
rule for windows #529.
<rule id="18130" level="5">
<if_sid>18106</if_sid>
<id>^529</id>
<description>Logon Failure - Unknown user or bad password.</
description>
<info>http://www.ultimatewindowssecurity.com/events/com190.html</
info>
<group>win_authentication_failed,</group>
</rule>
One would expect that a message from 18106 AND 18130 would appear in
the alerts.log and in the webui but the only thing that appeared on
the web and in the alerts.log file is 18130. Why? Level 0 rules
definitely are ignored and will not be listed but anything above that
level is definitely supposed to appear in the alerts.log file and the
webui (we have checked the conf files to make sure this is the case as
it pertains to levels).
Is there some logic in the group tag that causes high numbered or more-
specific rules to supersede earlier rules in the same group and thus
to NOT appear in the alerts.log or webui?
This is important to us because we are currently tuning OSSEC to give
us a smaller number of higher priority messages. Thanks!
Regards,
Brett Berger
DB Consulting
