On Tue, Dec 24, 2013 at 10:44 AM, <[email protected]> wrote: > Yes, that was the question. > > For the benefit of all, if you can find the time to specify something like > on the page where they appear, it will make the manual that much better. > It's already very good, but a little info like that makes a lot of > difference. >
I'm pretty sure that's covered in the pages on rule creation. > Now that I know where those two items go, I'll give it a try and report > back. > > Thanks, > > > > -- > finid > > > > > On 2013-12-24 15:13, dan (ddp) wrote: >> >> On Tue, Dec 24, 2013 at 9:36 AM, <[email protected]> wrote: >>> >>> I threw everything inside ossec.conf. >>> >>> Where they supposed to go in different files? >>> >>> >> >> What? The <localfile> block goes in the /var/ossec/etc/ossec.conf and >> the <rule> goes into a rules file (probably >> /var/ossec/rules/local_rules.xml). Is that what you were asking? >> >>> >>> -- >>> finid >>> >>> >>> >>> >>> >>> On 2013-12-24 14:15, dan (ddp) wrote: >>>> >>>> >>>> On Tue, Dec 24, 2013 at 8:22 AM, <[email protected]> wrote: >>>>> >>>>> >>>>> For those new to OSSEC, the official doc should be corrected, because >>>>> that's >>>>> how the single quotes are on there. Notice that the closing single >>>>> quote >>>>> is >>>>> after the closing rule tag (</rule>'). >>>>> >>>> >>>> Yes, that's an obvious typo. I've corrected it, and will push a new >>>> copy of the docs sometime after the holiday. >>>> I'll also try to add a bit about aliases, since that's not in that >>>> document. Using commands without aliases is barbaric. >>>> >>>>> But I corrected that made a number of other changes, but it still >>>>> failed. >>>>> >>>>> The doc I'm referring to is at http://ur1.ca/g8avy, under "Alerting >>>>> when >>>>> output of a command changes." >>>>> >>>>> The specific entry is: >>>>> === >>>>> <localfile> >>>>> <log_format>full_command</log_format> >>>>> <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command> >>>>> </localfile> >>>>> >>>>> After that, I add a rule to alert when its output changes: >>>>> >>>> >>>> Where did you add this rule? Is it between the '<group >>>> name="local,syslog,">' and '</group>' in >>>> /var/ossec/rules/local_rules.xml? >>>> The following rule worked perfectly for me, so I think we'll need more >>>> information to determine what you've done incorrectly. >>>> >>>>> >>>>> <rule id="140123" level="7"> >>>>> <if_sid>530</if_sid> >>>>> <match>ossec: output: 'netstat -tan |grep LISTEN</match> >>>>> <check_diff /> >>>>> <description>Listened ports have changed.</description> >>>>> </rule>' >>>>> === >>>>> >>>>> When I put that in ossec.conf and restarted OSSEC, the ouput was: >>>>> >>>>> "OSSEC analysisd: Testing rules failed. Configuration error. Exiting." >>>>> >>>>> And from the error logs: >>>>> >>>>> === >>>>> >>>>> ERROR: Invalid element in the configuration: 'rule'. >>>>> ERROR: Configuration error at '/var/ossec/etc/ossec.conf'. Exiting. >>>>> ossec-testrule(1202): ERROR: Configuration error at >>>>> '/var/ossec/etc/ossec.conf'. Exiting. >>>>> >>>>> === >>>>> >>>>> So, what is in the "rule" above that's not valid? >>>>> >>>>> TIA, >>>>> >>>>> >>>>> >>>>> -- >>>>> finid >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On 2013-12-24 10:12, ossec_user wrote: >>>>>> >>>>>> >>>>>> >>>>>> It would be better if you paste the configuration error message you >>>>>> are receiving. I guess the closing quote mark is missing in the >>>>>> <match> tag. It should be >>>>>> <match>ossec: output: 'netstat -tan | grep LISTEN'</match> >>>>>> >>>>>> On Saturday, December 21, 2013 10:24:16 AM UTC+5, finid wrote: >>>>>> >>>>>>> The rule below is from http://ur1.ca/g8avy [1]. It causes a >>>>>>> >>>>>>> configuration >>>>>>> error when I use it in ossec.conf. What could be the problem. >>>>>>> >>>>>>> <rule id="140123" level="7"> >>>>>>> <if_sid>530</if_sid> >>>>>>> <match>ossec: output: 'netstat -tan |grep LISTEN</match> >>>>>>> <check_diff /> >>>>>>> <description>Listened ports have changed.</description> >>>>>>> </rule>' >>>>>>> >>>>>>> TIA, >>>>>>> >>>>>>> -- >>>>>>> finid >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/groups/opt_out [2]. >>>>>> >>>>>> >>>>>> Links: >>>>>> ------ >>>>>> [1] >>>>>> >>>>>> >>>>>> >>>>>> http://www.google.com/url?q75http%3A%2F%2Fur1.ca%2Fg8avy46sa75D46sntz�75146usg75AFQjCNHvkt8ZJGf30QyjY7Y1SZVDkppfog >>>>>> [2] https://groups.google.com/groups/opt_out >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> --- You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an >>>>> email to [email protected]. >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >>> >>> -- >>> >>> --- You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
