Hi everyone,
I'm having a problem getting lists to work. They work fine with
ossec-logtest, but they're not working when I run ossec itself.
Here's a sample rule, in local_rules.xml:
<rule id="100126" level="10">
<if_sid>5715</if_sid>
<list field="hostname" lookup="match_key">lists/list_secure_hosts</list>
<!--
<list field="user"
lookup="not_match_key">lists/list_expected_secure_logins</list>
-->
<description>Unexpected user logged into a Secure machine</description>
</rule>
(I commented out the check against the list of expected logins for testing.)
If I run this rule under ossec-logtest, it works:
Mar 5 13:58:13 secure-test sshd[20230]: Accepted publickey for jtcours
from 192.168.1.1 port 53726 ssh2
**Phase 1: Completed pre-decoding.
full event: 'Mar 5 13:58:13 secure-test sshd[20230]: Accepted
publickey for jtcours from 192.168.1.1 port 53726 ssh2'
hostname: 'secure-test'
program_name: 'sshd'
log: 'Accepted publickey for jtcours from 192.168.1.1 port 53726
ssh2'
**Phase 2: Completed decoding.
decoder: 'sshd'
dstuser: 'jtcours'
srcip: '192.168.1.1'
**Phase 3: Completed filtering (rules).
Rule id: '100126'
Level: '10'
Description: 'Unexpected user logged into a Secure machine'
**Alert to be generated.
I get the same results whether I run ossec-logtest as root or as user ossec.
However, when I run ossec itself, the rule won't match. Instead, the match
stops at rule 5715. But if I comment out the <list> check against
lists/list_secure_hosts, rule 100126 matches, suggesting the problem is in
searching the list.
I have this in ossec.conf:
<rules>
...
<list>lists/list_secure_hosts</list>
...
</rules>
The lists are in /var/ossec/lists/, which has these permissions:
dr-xr-x--- 2 root ossec 4096 Mar 5 13:41 lists
I've recently run ossec-makelists against the files:
-rw-r--r-- 1 root ossec 58 Mar 5 13:40 list_secure_hosts
-rw-r--r-- 1 root ossec 2172 Mar 5 13:41 list_secure_hosts.cdb
and ossec-makelists recompiled the list after the most recent change.
I've tried restarting ossec using "ossec-control restart" and also by using
"ossec-control stop", making sure there aren't any ossec processes running,
and "ossec-control start". I also checked /var/ossec/logs/ossec.log but
didn't see anything odd in there.
Any thoughts or ideas on what's breaking?
Thanks very much,
Jeff
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
