-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello,
I don't seem to get a hit on rule 40101 on the supplied log line without the rule on OSSEC 2.3 so it's hard to debug. Do you have any customization that allows 40101 to fire? My only thought is perhaps you need to specify all the digits in the time or include a space, such as <time>02:00 - 02:01</time>. Perhaps try <time>2 am - 2:01 am</time>? Justin C. Klein Keane Sr. Information Security Specialist Information Security and Unix Systems University of Pennsylvania School of Arts and Sciences 3600 Market St. Room 520 Philadelphia, PA 19104 215.898.0236(p) 215.573.3166(f) The digital signature on this e-mail can be confirmed using the public key at https://www.sas.upenn.edu/computing/user/3. On 06/30/2010 03:45 PM, tm wrote: > Hello, > > Our log rotation occurs every night and generates a lot of 40101 > alerts because of an su to nobody. So, I added the following rule to > local_rules.xml: > > <rule id="104011" level="0"> > <if_sid>40101</if_sid> > <user>nobody</user> > <time>2:00-2:01</time> > <match>^(to nobody) root on none</match> > <description>Ignore "su to nobody" by log rotation jobs nightly > between 2:00 am and 2:01 am</description> > </rule> > > I have tested this rule with ossec-logtest and sample events from our > logs. Here's a sample event: > > Jun 30 02:00:02 machine_name su: (to nobody) root on none > > My 104011 rule only works if I remove the <time></time> line. I have > tried every permutation I can think of such as adding a space before > and after the dash and using am/pm notation instead of 24 hour clock > notation. I have even increased the time range to 2:00-3:00 and still > no luck. > > The date and time are supposed to be extracted by the predecoder so I > can't see that any su decoder changes I have made would make a > difference. > > Anyone got any ideas? > > Thanks, > > tm > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkws0KUACgkQR4a3EW2yjlQw/wCdF9UmYf7wTdWd2sWo7Wlxm/Tq +WkAnj7FMchbaqAbn8A7uWbu2xpYEgeR =MGSa -----END PGP SIGNATURE-----
