Verified from archives.log -- (it was already enabled) and it still fires
with ossec-logtest, but not when running LIVE. This is so strange.
Here is the generic info:
**Phase 1: Completed pre-decoding.
full event: '2013-11-22T16:11:03.284334+00:00 server_name_in_cdb
sshd[25855]: Accepted password for dummy_user from 1.2.3.4 port 36303 ssh2'
hostname: ‘server_name_in_cdb’
program_name: 'sshd'
log: 'Accepted password for dummy_user from 1.2.3.4 port 36303 ssh2'
**Phase 2: Completed decoding.
decoder: 'sshd'
dstuser: 'dummy_user'
srcip: '1.2.3.4'
**Phase 3: Completed filtering (rules).
Rule id: '111717'
Level: '13'
Description: 'DMZ System - SSHD password success.'
**Alert to be generated.
and the rule: (in local_rules.xml)
<rule id="111717" level=“13”>
<if_sid>5700</if_sid>
<list field="hostname" lookup="match_key">lists/dmz</list>
<match>^Accepted password|authenticated.$</match>
<description>DMZ System - SSHD password success.</description>
<group>authentication_success,</group>
</rule>
But in production (same server obviously), the rule that keeps firing is
the regular 5715 (in sshd_rules.xml) —
<rule id="5715" level="3">
<if_sid>5700</if_sid>
<match>^Accepted|authenticated.$</match>
<description>SSHD authentication success.</description>
<group>authentication_success,</group>
</rule>
Any other suggestions?
On Thursday, December 19, 2013 7:25:26 AM UTC-8, dan (ddpbsd) wrote:
>
> On Thu, Dec 19, 2013 at 10:07 AM, Janelle <[email protected]<javascript:>>
> wrote:
> > Hello,
> >
> > I was wondering if anyone has any idea how -- when passing a log entry
> > through ossec-logtest the correct rule fires. However, a restart of
> ossec
> > never catches the rule. Even a subsequent logtest run shows the correct
> rule
> > still fires, but not "live"?
> >
> > Any ideas on what to look for?
> >
>
> Make sure the log message looks the same to OSSEC as the log message
> you are testing with. You can turn the log all option on in the OSSEC
> server (this does add a header to the log entry in archives.log, but
> that's easy to strip).
>
> > thanks
> > ~J
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
