On Mon, Nov 14, 2011 at 7:58 AM, Oliver <[email protected]> wrote: > I need help configuring my agents. > > My rules are working fine for most of our server, but there are some > exceptions to them. E.g. our development server cannot be handled as > strict as the production server. > > To explain the problem I will choose some of the problematic default > rules: > > <rule id="31101" level="5"> > <if_sid>31100</if_sid> > <id>^4</id> > <description>Web server 400 error code.</description> > </rule> > > AND > > <rule id="31151" level="10" frequency="10" timeframe="120"> > <if_matched_sid>31101</if_matched_sid> > <same_source_ip /> > <description>Mutiple web server 400 error codes </description> > <description>from same source ip.</description> > <group>web_scan,recon,</group> > </rule> > > These rules basically work find. I get an email if someone is > responsible for a 4xx error 12 times within 120 seconds. What I like > to do now is, turn that rule OFF on a single server and override it > with a weaker rule. So I did the following in the local_rule.xml: > > <!-- we need to disable this rule first before overriding it -- >> > <rule id="100103" level="0"> > <if_sid>31151</if_sid> > <hostname>my_server</hostname> > </rule> >
So on my_server alert 31151 is triggered which then triggers 100103, and those log messages are discarded. > <!-- WEAKEN standard rule on my_server --> > <rule id="100102" level="10" frequency="20" timeframe="120"> > <hostname>my_server</hostname> > <if_matched_sid>31101</if_matched_sid> > <same_source_ip /> > <description>Mutiple web server 400 error codes </ > description> > <description>from same source ip.</description> > <group>web_scan,recon,</group> > </rule> > They never make it to this rule. You probably need to have this rule in the set before 31151. > I would have though, that this has to work, but as long as the > frequency in the last rule is higher then in rule 31151, the ossec- > logtest does not work. After 12 occurrences it will just fire: > > > 192.168.1.22 - user [11/Nov/2011:17:08:49 +0100] "OPTIONS /mypath HTTP/ > 1.1" 401 710 "-" "Microsoft-WebDAV-MiniRedir/6.1.7601" > > > **Phase 1: Completed pre-decoding. > full event: '192.168.1.22 - user [11/Nov/2011:17:08:49 +0100] > "OPTIONS /mypath HTTP/1.1" 401 710 "-" "Microsoft-WebDAV-MiniRedir/ > 6.1.7601"' > hostname: 'my_server' > program_name: '(null)' > log: '192.168.1.22 - user [11/Nov/2011:17:08:49 +0100] > "OPTIONS /mypath HTTP/1.1" 401 710 "-" "Microsoft-WebDAV-MiniRedir/ > 6.1.7601"' > > **Phase 2: Completed decoding. > decoder: 'web-accesslog' > srcip: '192.168.1.22' > url: '/mypath' > id: '401' > > **Phase 3: Completed filtering (rules). > Rule id: '100103' > Level: '1' > Description: '(null)' > **Alert to be generated. > > > But at this point everything just repeats itself instead of of hitting > my customized rule 100102. It never occur even after a hundred bad > requests. > > Does someone has an explanation to this or even better a solution? > > thnx in advance! > > >
