On Fri, Mar 15, 2013 at 12:27 PM, Charles Bailey <[email protected]> wrote: > I appreciate all the help. OSSEC has a big learning curve, but I think I'm > making progress. > > OK, I have another issue. I have Piwik installed, and every time Piwik gets > a 'hit', I get a warning in OSSEC. I googled it, and found 3 rules that > should help: > > <rule id="31164" level="3"> > <if_sid>31100</if_sid> > <url>/piwik/index.php?module=CoreHome&action=</url> > <description>Login attempt</description> > <group>piwik_login_attempt,</group> > </rule> > > <rule id="31165" level="8" frequency="5" timeframe="60"> > <if_sid>31100</if_sid> > <if_matched_group>piwik_login_attempt</if_matched_group> > <description>to much Login attempts</description> > </rule> > > <rule id="SOMETHING" level="0">
You did put a real id in there in place of the "SOMETHING" correct? > <if_sid>31106</if_sid> > <match>Form%20</match> > <description>Ignore Form%20</description> > </rule> > > Problem is, when I put any of them in my web_rules.xml, OSSEC's status (From That's a bad idea. You should add custom rules to local_rules.xml. web_rules.xml will get overwritten during an upgrade. > the web interface)turns red, and says 'Inactive'. Of course, it doesn't log > anything in this state. Do these rules somehow break OSSEC? > Did you check ossec.log? That generally gives you more information. Did you run "ossec-logtest -t?" That checks the rules to make sure they won't break OSSEC. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
