For what it's worth, I've just tried for the first time today to create ignore rules in my OSSEC 2.4 server's local_rules.xml, and it doesn't seem to be working for me either...
Alessandro ________________________________ From: Chad Robertson <[email protected]> To: ossec-list <[email protected]> Sent: Tue, April 6, 2010 3:26:09 PM Subject: [ossec-list] custom rules do not work after update to 2.4 I might have a bug to report though hopefully someone else can verify it's legit. Prior to updating to 2.4, I had a script that generates rules. These rules were all dependent upon 31100 and worked by matching the requesting srcip. After the update they no longer work as they did. Example rule: <group name="web"> <rule id="100740" level="14"> <if_sid>31100</if_sid> <srcip>109.123.78.44</srcip> <description>Evil Haxors!!</description> </rule> </group> Before update: **Phase 1: Completed pre-decoding. full event: '2010-04-06 11:41:01 <hostname> x.x.x.x GET /evilfile.php 80 - 109.123.78.44 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) - - www.wantsfly.com 301 hostname: 'test' program_name: '(null)' log: '2010-04-06 11:41:01 <hostname> x.x.x.x GET /evilfile.php 80 - 109.123.78.44 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) - - www.wantsfly.com 301' **Phase 2: Completed decoding. decoder: 'windows-date-format' url: '/prx2.php' srcip: '109.123.78.44' id: '301' **Phase 3: Completed filtering (rules). Rule id: '100740' Level: '14' Description: 'Evil Haxors!!' **Alert to be generated. After update: ....<same as above>... **Phase 3: Completed filtering (rules). Rule id: '31108' Level: '0' Description: 'Ignored URLs (simple queries).' I verified that I had added my custom rules xml file back into the ossec.conf after the update. It seems to load it (as shown in the ossec.log file) but it just no longer works as it did. It's almost like the default ruleset overrides my custom rules. If I change my rule to be dependant upon 31108 instead of 31100, it works. To verify, I reverted back to 2.3 and (after adding the rule.xml file back into the ossec.conf file) and it works again. __________________________________________________________________ Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your favourite sites. Download it now http://ca.toolbar.yahoo.com. -- To unsubscribe, reply using "remove me" as the subject.
