I need help configuring my agents.
My rules are working fine for most of our server, but there are some
exceptions to them. E.g. our development server cannot be handled as
strict as the production server.
To explain the problem I will choose some of the problematic default
rules:
<rule id="31101" level="5">
<if_sid>31100</if_sid>
<id>^4</id>
<description>Web server 400 error code.</description>
</rule>
AND
<rule id="31151" level="10" frequency="10" timeframe="120">
<if_matched_sid>31101</if_matched_sid>
<same_source_ip />
<description>Mutiple web server 400 error codes </description>
<description>from same source ip.</description>
<group>web_scan,recon,</group>
</rule>
These rules basically work find. I get an email if someone is
responsible for a 4xx error 12 times within 120 seconds. What I like
to do now is, turn that rule OFF on a single server and override it
with a weaker rule. So I did the following in the local_rule.xml:
<!-- we need to disable this rule first before overriding it --
>
<rule id="100103" level="0">
<if_sid>31151</if_sid>
<hostname>my_server</hostname>
</rule>
<!-- WEAKEN standard rule on my_server -->
<rule id="100102" level="10" frequency="20" timeframe="120">
<hostname>my_server</hostname>
<if_matched_sid>31101</if_matched_sid>
<same_source_ip />
<description>Mutiple web server 400 error codes </
description>
<description>from same source ip.</description>
<group>web_scan,recon,</group>
</rule>
I would have though, that this has to work, but as long as the
frequency in the last rule is higher then in rule 31151, the ossec-
logtest does not work. After 12 occurrences it will just fire:
192.168.1.22 - user [11/Nov/2011:17:08:49 +0100] "OPTIONS /mypath HTTP/
1.1" 401 710 "-" "Microsoft-WebDAV-MiniRedir/6.1.7601"
**Phase 1: Completed pre-decoding.
full event: '192.168.1.22 - user [11/Nov/2011:17:08:49 +0100]
"OPTIONS /mypath HTTP/1.1" 401 710 "-" "Microsoft-WebDAV-MiniRedir/
6.1.7601"'
hostname: 'my_server'
program_name: '(null)'
log: '192.168.1.22 - user [11/Nov/2011:17:08:49 +0100]
"OPTIONS /mypath HTTP/1.1" 401 710 "-" "Microsoft-WebDAV-MiniRedir/
6.1.7601"'
**Phase 2: Completed decoding.
decoder: 'web-accesslog'
srcip: '192.168.1.22'
url: '/mypath'
id: '401'
**Phase 3: Completed filtering (rules).
Rule id: '100103'
Level: '1'
Description: '(null)'
**Alert to be generated.
But at this point everything just repeats itself instead of of hitting
my customized rule 100102. It never occur even after a hundred bad
requests.
Does someone has an explanation to this or even better a solution?
thnx in advance!
