On Wed, Feb 26, 2014 at 12:48 PM, Nathaniel Bentzinger <[email protected]> wrote: > Hi, > > > > I've created a decoder and some rules around our Zend.to installation (I > updated the log reporting to include Error|Warn|Info after the server name > in the logs) it works well unless someone fails to login then the rule 1002 > hijacks the rule processing and runs with that. Note the two "rule_id: > 100051" rules: >
You should fix that. I thought it was supposed to kill analysisd if 2 rules with the same ID were discovered. > > > local_decoder.xml: > > <decoder name="Zend.to-logs"> > > <prematch>^\d\d/\d\d/\d\d\d\d \d\d:\d\d:\d\d </prematch> > > <regex offset="after_prematch">[(\S+)]: (\S+) - (\.+)</regex> > > <order>srcip, status, extra_data</order> > > </decoder> > > > > Local_rules.xml: > > <group name="Zend.to"><!--IDs 100050-100059 --> > > > > <rule id="100050" level="1"> > > <decoded_as>Zend.to-logs</decoded_as> > > <description>Zend.to log message</description> > > <group>Zend.to</group> > > </rule> > > > > <rule id="100051" level="7"> > > <if_sid>100050</if_sid> > > <status>Error</status> > > <description>Zend.to Error</description> > > <group>Zend.to,Error</group> > > </rule> > > > > <rule id="100051" level="7"> > > <if_sid>100050</if_sid> > > <status>Error</status> > > <match>Authorization|Illegal</match> > > <description>Zend.to Authentication, Authorization or Identity check > Errors</description> > > <group>Zend.to,Error,AAAI</group> > > </rule> > > > > <rule id="100052" level="7"> > > <if_sid>100050</if_sid> > > <status>Warn</status> > > <description>Zend.to Warning</description> > > <group>Zend.to,Warning</group> > > </rule> > > > > <rule id="100053" level="1"> > > <if_sid>100050</if_sid> > > <status>Info</status> > > <description>Zend.to Information Log</description> > > <group>Zend.to,Info</group> > > </rule> > > > > </group> > > > > Checking the ossec.log file shows it processed it fine: > > 2014/02/26 12:23:22 ossec-analysisd: INFO: Reading rules file: > 'dropbear_rules.xml' > > 2014/02/26 12:23:22 ossec-analysisd: INFO: Reading rules file: > 'local_rules.xml' > > 2014/02/26 12:23:22 ossec-analysisd: INFO: Total rules enabled: '1319' > > 2014/02/26 12:23:22 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' > > > > This rule set makes this alert: > > 02/26/2014 12:23:23 [Transfer]: Warn - Authorization failed for 'testfail' > > > > get processed as rule 1002 not as rule 100052 (Zend.to warning). Is this by > design or an bug? I'm still running 2.6. Could someone confirm on 2.7? > > Still works the same way in 2.7.1. I'm guessing it's the "WARN" in the log message. You might need to if_sid the warn rule. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
