Hi Phil, I don't know enough to add meaningfully, but in the last paragraph this looked unusual.
<same_source_ip /> Perhaps same_source_ip is built into ossec, but the tags look like it's missing brackets. Is this supposed to send a notification email or make an active response? Eric > Hi, > > I am attempting to write a suit of rules for Zimbra but have a issue with > the composite rules. Within my local_rules.xml I have: > > <group name="zimbra,"> > <rule id="100100" level="0"> > <decoded_as>zimbra</decoded_as> > <description>Zimbra Messages Grouped</description> > </rule> > > <rule id="100101" level="3"> > <if_sid>100100</if_sid> > <match>account not found$</match> > <description>Account Unknown</description> > <group>account_unknown,zimbra_failures,</group> > </rule> > > <rule id="100102" level="3"> > <if_sid>100100</if_sid> > <match>invalid password$</match> > <description>Invalid Password</description> > <group>invalid_password,</group> > </rule> > > <rule id="100103" level="5"> > <if_sid>100100</if_sid> > <match>preauth mismatch$</match> > <description>Preauth Mismatch</description> > <group>preauth_mismatch,zimbra_failures,</group> > </rule> > > <!-- Composite rules --> > > <rule id="100110" level="8" frequency="5" timeframe="30"> > <if_matched_group>zimbra_failures</if_matched_group> > <same_source_ip /> > <description>Zimbra Multiple Failures</description> > </rule> > </group> > > Individually they are work fine; yet if I fire off 10 entries to the log > file for preauth mismatch the composite rule does not alert. Is there > something glaringly wrong in my ruleset ?
