Yes and it works ... when I use IP address but not when I use CIDR notation. Reading documentation, subnets needs to be defined like this:
74.115.28.:rbn But RBN IP's comes as a single address and with CIDR notation in the same file ... So, I need to do a lot of shell scripting to configure these RBN IP's ... On Tue, Apr 3, 2012 at 3:34 PM, dan (ddp) <[email protected]> wrote: > Check the documentation. I thought CIDRs were represented differently. > Are you using address_match_key? > > On Apr 3, 2012 9:27 AM, "C. L. Martinez" <[email protected]> wrote: >> >> Yes I have tried but I don't see where is the problem ... >> >> At this moment I am trying using a cdb list and it works ok ... but >> only if I use IP address and not subnet address. For example: >> >> 109.73.106.2:rbn --- this works, alert is triggered like it does using >> a simple rule >> 109.94.208.0/20:rbn -- this doesn't works (using for example >> 109.94.208.1 as a srcip or dstip), when using a simple rule it works >> ... >> >> Does subnets defined as a key works?? >> >> >> On Tue, Apr 3, 2012 at 3:09 PM, dan (ddp) <[email protected]> wrote: >> > Try running everything in debug mode, and maybe run analysisd in gdb. >> > Also, have you tried removing the new rule to see if that fixes it? >> > >> > On Apr 3, 2012 8:44 AM, "C. L. Martinez" <[email protected]> wrote: >> >> >> >> It seems that exists some type of limit when ip lists are used ... I >> >> have recreated my custom rule file using only one sid inside in if_sid >> >> option, and doesn't works neither: >> >> >> >> 2012/04/03 11:15:23 ossec-analysisd: INFO: Reading rules file: >> >> 'my_rbn_rules.xml' >> >> 2012/04/03 11:15:23 ossec-remoted: INFO: Started (pid: 1857). >> >> 2012/04/03 11:15:26 ossec-remoted(1210): ERROR: Queue >> >> '/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2012/04/03 11:15:26 ossec-remoted(1211): ERROR: Unable to access >> >> queue: '/queue/ossec/queue'. Giving up.. >> >> 2012/04/03 11:15:26 ossec-syscheckd(1210): ERROR: Queue >> >> '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2012/04/03 11:15:26 ossec-rootcheck(1210): ERROR: Queue >> >> '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2012/04/03 11:15:32 ossec-logcollector(1210): ERROR: Queue >> >> '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2012/04/03 11:15:32 ossec-logcollector(1211): ERROR: Unable to access >> >> queue: '/data/ossec/queue/ossec/queue'. Giving up.. >> >> 2012/04/03 11:15:34 ossec-syscheckd(1210): ERROR: Queue >> >> '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> 2012/04/03 11:15:34 ossec-rootcheck(1210): ERROR: Queue >> >> '/data/ossec/queue/ossec/queue' not accessible: 'Connection refused'. >> >> >> >> Is this a bug?? >> >> >> >> On Tue, Apr 3, 2012 at 8:30 AM, C. L. Martinez <[email protected]> >> >> wrote: >> >> > Doesn't shows nothing strange: >> >> > >> >> > [root@srvtest bin]# /data/ossec/bin/ossec-logtest -t >> >> > 2012/04/03 06:29:28 ossec-testrule: INFO: Reading local decoder file. >> >> > [root@srvtest bin]# >> >> > >> >> > On Mon, Apr 2, 2012 at 5:30 PM, dan (ddp) <[email protected]> wrote: >> >> >> /var/ossec/bin/logtest -t >> >> >> >> >> >> Try troubleshooting the issue. >> >> >> >> >> >> On Apr 2, 2012 6:31 AM, "C. L. Martinez" <[email protected]> >> >> >> wrote: >> >> >>> >> >> >>> Hi all, >> >> >>> >> >> >>> I have an strange problem. I have defined a custom rule to trigger >> >> >>> an >> >> >>> alert when a RBN IP comes as a srcip in my logs file. For example: >> >> >>> >> >> >>> <group name="rbn,"> >> >> >>> <rule id="110008" level="14"> >> >> >>> <if_sid>100202,100203,100201</if_sid> >> >> >>> <srcip>108.60.159.33</srcip> >> >> >>> <description>Connection from RBN IP</description> >> >> >>> </rule> >> >> >>> </group> >> >> >>> >> >> >>> When I try to load these type of rules, this error occurred: >> >> >>> >> >> >>> 2012/04/02 07:47:27 ossec-analysisd: INFO: Reading rules file: >> >> >>> 'my_rbn_rules.xml' >> >> >>> 2012/04/02 07:47:27 ossec-remoted: INFO: Started (pid: 6387). >> >> >>> 2012/04/02 07:47:27 ossec-remoted: Remote syslog allowed from: >> >> >>> '192.168.44.0/24' >> >> >>> 2012/04/02 07:47:27 ossec-remoted: INFO: Started (pid: 6389). >> >> >>> 2012/04/02 07:47:30 ossec-syscheckd(1210): ERROR: Queue >> >> >>> '/data/ossec/queue/ossec/queue' not accessible: 'Connection >> >> >>> refused'. >> >> >>> 2012/04/02 07:47:30 ossec-rootcheck(1210): ERROR: Queue >> >> >>> '/data/ossec/queue/ossec/queue' not accessible: 'Connection >> >> >>> refused'. >> >> >>> 2012/04/02 07:47:30 ossec-remoted(1210): ERROR: Queue >> >> >>> '/queue/ossec/queue' not accessible: 'Connection refused'. >> >> >>> 2012/04/02 07:47:30 ossec-remoted(1211): ERROR: Unable to access >> >> >>> queue: '/queue/ossec/queue'. Giving up.. >> >> >>> 2012/04/02 07:47:32 ossec-analysisd: INFO: Reading rules file: >> >> >>> 'my_dshield_rules.xml' >> >> >>> 2012/04/02 07:47:32 ossec-analysisd: INFO: Reading rules file: >> >> >>> 'ossec_rules.xml' >> >> >>> >> >> >>> But it is really strange, because I have another rule file >> >> >>> (my_dshield_rules.xml) configured as the previous, and this doesn't >> >> >>> returns any error .... Where is the problem?? >> >> >>> >> >> >>> Thanks.
