I don't have access to ossec at the moment, so specifics won't be possible.
The log event that triggers your first rule may not trigger another rule in
ossec, but the second one (that requires the if_sid) does.
Until the if_sid is added, the rule 31151 is considered the best match.
Rearranging the rules may make your custom rule the best match, but adding
if_sid is easier.
Not sure if that makes sense. If not, let me know. I'll try again (from a
computer instead of my phone)
Sent from my Nokia phone
-----Original Message-----
From: Brian
Sent: 04/15/2010 10:53:58 PM
Subject: [ossec-list] Re: Rule for web access_log not working
Dan,
Adding that made the alerts stop. That's really good, thank you!
Now my question is why did adding the <if_sid> finally work?
Here's a rule that works fine (doesn't send alerts):
<group name="local,syslog,">
<rule id="100009" level="0">
<match>Accepted publickey for X from 1.2.3.4</match>
<description>Ignore ssh connections by X on network</
description>
</rule>
</group>
But this doesn't work unless I use <if_sid>:
<group name="local,accesslog,apache,">
<rule id="200004" level="0">
<srcip>1.2.3.4</srcip>
<regex>www\.example\.com/v9/windowsupdate/</regex>
<description>Windows update probes</description>
</rule>
</group>
By the way, I'm running the latest version, and it was installed
fresh.
-Brian
On Apr 14, 8:34 pm, "dan (ddp)" <[email protected]> wrote:
> If rule 200004 is your custom rule, it looks like it isn't being applied.
> Try adding <if_sid>31151</if_sid> to your rule.
>
> On Wed, Apr 14, 2010 at 3:17 PM, Brian <[email protected]> wrote:
> > In the email alert, however, it is being listed as "level 10", which
> > is leading me to believe my local rule is just being ignored:
>
> > Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes
> > from same source ip."
>
> > -Brian
--
Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en
