On Wed, Feb 26, 2014 at 1:15 PM, Nathaniel Bentzinger <[email protected]> wrote: > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Wednesday, February 26, 2014 1:04 PM > To: [email protected] > Subject: Re: [ossec-list] bug or by design: double ossec rule ID stops > processing IDs after that number >> >>On Wed, Feb 26, 2014 at 12:48 PM, Nathaniel Bentzinger >><[email protected]> wrote: >>> Hi, >>> >>> >>> >>> I've created a decoder and some rules around our Zend.to installation >>> (I updated the log reporting to include Error|Warn|Info after the >>> server name in the logs) it works well unless someone fails to login >>> then the rule 1002 hijacks the rule processing and runs with that. Note the >>> two "rule_id: >>> 100051" rules: >>> >> >>> You should fix that. I thought it was supposed to kill analysisd if 2 rules >>> with the same ID were discovered. > > I did after I caught it. I just found it interesting that a service restart > didn't cause OSSEC to fail to start due to a duplicate rule id. >
It should in 2.7.1. > For everyone else this is the final rule set: > </group> > <group name="Zend.to"><!--IDs 100050-100059 --> > > <rule id="100050" level="1"> > <decoded_as>Zend.to-logs</decoded_as> > <description>Zend.to log message</description> > <group>Zend.to</group> > </rule> > > <rule id="100051" level="7"> > <if_sid>100050</if_sid> > <status>Error</status> > <description>Zend.to Error</description> > <group>Zend.to,Error</group> > </rule> > > <rule id="100052" level="7"> > <if_sid>100050</if_sid> > <status>Error</status> > <match>Authorization|Illegal</match> > <description>Zend.to Authentication, Authorization or Identity check > Errors</description> > <group>Zend.to,Error,AAAI</group> > </rule> > > <rule id="100053" level="7"> > <if_sid>100050</if_sid> > <status>Warn</status> > <description>Zend.to Warning</description> > <group>Zend.to,Warning</group> > </rule> > > <rule id="100054" level="1"> > <if_sid>100050</if_sid> > <status>Info</status> > <description>Zend.to Information Log</description> > <group>Zend.to,Info</group> > </rule> > > </group> >>> >>> >>> local_decoder.xml: >>> >>> <decoder name="Zend.to-logs"> >>> >>> <prematch>^\d\d/\d\d/\d\d\d\d \d\d:\d\d:\d\d </prematch> >>> >>> <regex offset="after_prematch">[(\S+)]: (\S+) - (\.+)</regex> >>> >>> <order>srcip, status, extra_data</order> >>> >>> </decoder> >>> >>> >>> >>> Local_rules.xml: >>> >>> <group name="Zend.to"><!--IDs 100050-100059 --> >>> >>> >>> >>> <rule id="100050" level="1"> >>> >>> <decoded_as>Zend.to-logs</decoded_as> >>> >>> <description>Zend.to log message</description> >>> >>> <group>Zend.to</group> >>> >>> </rule> >>> >>> >>> >>> <rule id="100051" level="7"> >>> >>> <if_sid>100050</if_sid> >>> >>> <status>Error</status> >>> >>> <description>Zend.to Error</description> >>> >>> <group>Zend.to,Error</group> >>> >>> </rule> >>> >>> >>> >>> <rule id="100051" level="7"> >>> >>> <if_sid>100050</if_sid> >>> >>> <status>Error</status> >>> >>> <match>Authorization|Illegal</match> >>> >>> <description>Zend.to Authentication, Authorization or Identity >>> check Errors</description> >>> >>> <group>Zend.to,Error,AAAI</group> >>> >>> </rule> >>> >>> >>> >>> <rule id="100052" level="7"> >>> >>> <if_sid>100050</if_sid> >>> >>> <status>Warn</status> >>> >>> <description>Zend.to Warning</description> >>> >>> <group>Zend.to,Warning</group> >>> >>> </rule> >>> >>> >>> >>> <rule id="100053" level="1"> >>> >>> <if_sid>100050</if_sid> >>> >>> <status>Info</status> >>> >>> <description>Zend.to Information Log</description> >>> >>> <group>Zend.to,Info</group> >>> >>> </rule> >>> >>> >>> >>> </group> >>> >>> >>> >>> Checking the ossec.log file shows it processed it fine: >>> >>> 2014/02/26 12:23:22 ossec-analysisd: INFO: Reading rules file: >>> 'dropbear_rules.xml' >>> >>> 2014/02/26 12:23:22 ossec-analysisd: INFO: Reading rules file: >>> 'local_rules.xml' >>> >>> 2014/02/26 12:23:22 ossec-analysisd: INFO: Total rules enabled: '1319' >>> >>> 2014/02/26 12:23:22 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' >>> >>> >>> >>> This rule set makes this alert: >>> >>> 02/26/2014 12:23:23 [Transfer]: Warn - Authorization failed for 'testfail' >>> >>> >>> >>> get processed as rule 1002 not as rule 100052 (Zend.to warning). Is >>> this by design or an bug? I'm still running 2.6. Could someone confirm on >>> 2.7? >>> >>> >> >>Still works the same way in 2.7.1. I'm guessing it's the "WARN" in the log >>message. You might need to if_sid the warn rule. >> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >> >>-- >> >>--- >>You received this message because you are subscribed to the Google Groups >>"ossec-list" group. >>To unsubscribe from this group and stop receiving emails from it, send an >>email to [email protected]. >>For more options, visit https://groups.google.com/groups/opt_out. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
