-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Wednesday, February 26, 2014 1:04 PM To: [email protected] Subject: Re: [ossec-list] bug or by design: double ossec rule ID stops processing IDs after that number > >On Wed, Feb 26, 2014 at 12:48 PM, Nathaniel Bentzinger ><[email protected]> wrote: >> Hi, >> >> >> >> I've created a decoder and some rules around our Zend.to installation >> (I updated the log reporting to include Error|Warn|Info after the >> server name in the logs) it works well unless someone fails to login >> then the rule 1002 hijacks the rule processing and runs with that. Note the >> two "rule_id: >> 100051" rules: >> > >> You should fix that. I thought it was supposed to kill analysisd if 2 rules >> with the same ID were discovered.
I did after I caught it. I just found it interesting that a service restart didn't cause OSSEC to fail to start due to a duplicate rule id. For everyone else this is the final rule set: </group> <group name="Zend.to"><!--IDs 100050-100059 --> <rule id="100050" level="1"> <decoded_as>Zend.to-logs</decoded_as> <description>Zend.to log message</description> <group>Zend.to</group> </rule> <rule id="100051" level="7"> <if_sid>100050</if_sid> <status>Error</status> <description>Zend.to Error</description> <group>Zend.to,Error</group> </rule> <rule id="100052" level="7"> <if_sid>100050</if_sid> <status>Error</status> <match>Authorization|Illegal</match> <description>Zend.to Authentication, Authorization or Identity check Errors</description> <group>Zend.to,Error,AAAI</group> </rule> <rule id="100053" level="7"> <if_sid>100050</if_sid> <status>Warn</status> <description>Zend.to Warning</description> <group>Zend.to,Warning</group> </rule> <rule id="100054" level="1"> <if_sid>100050</if_sid> <status>Info</status> <description>Zend.to Information Log</description> <group>Zend.to,Info</group> </rule> </group> >> >> >> local_decoder.xml: >> >> <decoder name="Zend.to-logs"> >> >> <prematch>^\d\d/\d\d/\d\d\d\d \d\d:\d\d:\d\d </prematch> >> >> <regex offset="after_prematch">[(\S+)]: (\S+) - (\.+)</regex> >> >> <order>srcip, status, extra_data</order> >> >> </decoder> >> >> >> >> Local_rules.xml: >> >> <group name="Zend.to"><!--IDs 100050-100059 --> >> >> >> >> <rule id="100050" level="1"> >> >> <decoded_as>Zend.to-logs</decoded_as> >> >> <description>Zend.to log message</description> >> >> <group>Zend.to</group> >> >> </rule> >> >> >> >> <rule id="100051" level="7"> >> >> <if_sid>100050</if_sid> >> >> <status>Error</status> >> >> <description>Zend.to Error</description> >> >> <group>Zend.to,Error</group> >> >> </rule> >> >> >> >> <rule id="100051" level="7"> >> >> <if_sid>100050</if_sid> >> >> <status>Error</status> >> >> <match>Authorization|Illegal</match> >> >> <description>Zend.to Authentication, Authorization or Identity >> check Errors</description> >> >> <group>Zend.to,Error,AAAI</group> >> >> </rule> >> >> >> >> <rule id="100052" level="7"> >> >> <if_sid>100050</if_sid> >> >> <status>Warn</status> >> >> <description>Zend.to Warning</description> >> >> <group>Zend.to,Warning</group> >> >> </rule> >> >> >> >> <rule id="100053" level="1"> >> >> <if_sid>100050</if_sid> >> >> <status>Info</status> >> >> <description>Zend.to Information Log</description> >> >> <group>Zend.to,Info</group> >> >> </rule> >> >> >> >> </group> >> >> >> >> Checking the ossec.log file shows it processed it fine: >> >> 2014/02/26 12:23:22 ossec-analysisd: INFO: Reading rules file: >> 'dropbear_rules.xml' >> >> 2014/02/26 12:23:22 ossec-analysisd: INFO: Reading rules file: >> 'local_rules.xml' >> >> 2014/02/26 12:23:22 ossec-analysisd: INFO: Total rules enabled: '1319' >> >> 2014/02/26 12:23:22 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' >> >> >> >> This rule set makes this alert: >> >> 02/26/2014 12:23:23 [Transfer]: Warn - Authorization failed for 'testfail' >> >> >> >> get processed as rule 1002 not as rule 100052 (Zend.to warning). Is >> this by design or an bug? I'm still running 2.6. Could someone confirm on >> 2.7? >> >> > >Still works the same way in 2.7.1. I'm guessing it's the "WARN" in the log >message. You might need to if_sid the warn rule. > >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > >-- > >--- >You received this message because you are subscribed to the Google Groups >"ossec-list" group. >To unsubscribe from this group and stop receiving emails from it, send an >email to [email protected]. >For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
