On Thu, Dec 19, 2013 at 11:25 AM, Janelle <[email protected]> wrote: > Verified from archives.log -- (it was already enabled) and it still fires > with ossec-logtest, but not when running LIVE. This is so strange. > > Here is the generic info: > > **Phase 1: Completed pre-decoding. > > full event: '2013-11-22T16:11:03.284334+00:00 server_name_in_cdb > sshd[25855]: Accepted password for dummy_user from 1.2.3.4 port 36303 ssh2' > > hostname: ‘server_name_in_cdb’ > > program_name: 'sshd' > > log: 'Accepted password for dummy_user from 1.2.3.4 port 36303 ssh2' > > > **Phase 2: Completed decoding. > > decoder: 'sshd' > > dstuser: 'dummy_user' > > srcip: '1.2.3.4' > > > **Phase 3: Completed filtering (rules). > > Rule id: '111717' > > Level: '13' > > Description: 'DMZ System - SSHD password success.' > > **Alert to be generated. > > > > and the rule: (in local_rules.xml) > > > <rule id="111717" level=“13”> > > <if_sid>5700</if_sid> >
Does it work if you change the if_sid to 5715? > <list field="hostname" lookup="match_key">lists/dmz</list> > > <match>^Accepted password|authenticated.$</match> > > <description>DMZ System - SSHD password success.</description> > > <group>authentication_success,</group> > > </rule> > > > > But in production (same server obviously), the rule that keeps firing is the > regular 5715 (in sshd_rules.xml) — > > > <rule id="5715" level="3"> > > <if_sid>5700</if_sid> > > <match>^Accepted|authenticated.$</match> > > <description>SSHD authentication success.</description> > > <group>authentication_success,</group> > > </rule> > > > Any other suggestions? > > On Thursday, December 19, 2013 7:25:26 AM UTC-8, dan (ddpbsd) wrote: >> >> On Thu, Dec 19, 2013 at 10:07 AM, Janelle <[email protected]> wrote: >> > Hello, >> > >> > I was wondering if anyone has any idea how -- when passing a log entry >> > through ossec-logtest the correct rule fires. However, a restart of >> > ossec >> > never catches the rule. Even a subsequent logtest run shows the correct >> > rule >> > still fires, but not "live"? >> > >> > Any ideas on what to look for? >> > >> >> Make sure the log message looks the same to OSSEC as the log message >> you are testing with. You can turn the log all option on in the OSSEC >> server (this does add a header to the log entry in archives.log, but >> that's easy to strip). >> >> > thanks >> > ~J >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
