[ossec-list] Hostname matching works in ossec-logtest but not when running on server.

[Elias Lopez]

Hi All,

I've successfully installed ossec-hids version 2.8 on a server, with agents but 
I am having very odd problems with hostname matching.

I have something like this in local_rules.xml:


    <rule id="100132" level="3">
        <if_group>authentication_success</if_group>
        <description>PHC POLICY - Login to server</description>
    </rule>

    <rule id="100133" level="9">
        <if_sid>100132</if_sid>
        <hostname>579806-db1</hostname>
        <description>PHC POLICY - Login to DB1 machine</description>
        <group>policy_violation</group>
    </rule>

I paste the log line:
Aug 12 14:46:49 579806-db1 sshd[35664]: Accepted publickey for elias from 
xxx.xxx.xxx.xxx port 53036 ssh2

into the rules tester and I get whats expected:

**Phase 1: Completed pre-decoding.
       full event: 'Aug 12 14:46:49 579806-db1 sshd[35664]: Accepted publickey 
for elias from xxx.xxx.xxx.xxx port 53036 ssh2'
       hostname: '579806-db1'
       program_name: 'sshd'
       log: 'Accepted publickey for elias from xxx.xxx.xxx.xxx port 53036 ssh2'

**Phase 2: Completed decoding.
       decoder: 'sshd'
       dstuser: 'elias'
       srcip: 'xxx.xxx.xxx.xxx'

**Phase 3: Completed filtering (rules).
       Rule id: '100133'
       Level: '9'
       Description: 'PHC POLICY - Login to DB1 machine'
**Alert to be generated.

So far so good.

But then when I restart the servers this never ever matches. It only ever 
matches the parent rule 100132: (from alerts.log)

** Alert 1407819130.465414: - local,syslog,
2014 Aug 12 14:52:10 (db1) xxx.xxx.xxx.xxx->/var/log/secure
Rule: 100132 (level 3) -> 'PHC POLICY - Login to server'
Src IP: xxx.xxx.xxx.xxx
User: elias
Aug 12 14:52:09 579806-db1 sshd[36577]: Accepted publickey for elias from 
xxx.xxx.xxx.xxx port 53045 ssh2

** Alert 1407819130.465718: - local,syslog,
2014 Aug 12 14:52:10 (db1) xxx.xxx.xxx.xxx->/var/log/secure
Rule: 100132 (level 3) -> 'PHC POLICY - Login to server'
Aug 12 14:52:09 579806-db1 sshd[36577]: pam_unix(sshd:session): session opened 
for user elias by (uid=0)


The WEIRD part is that if I remove the digits and the - from the hostname it 
works!, this is not what I want as the string would match other hostnames who's 
suffix is db1.

The agents are running RHEL 6.5, and the server is Centos 6.5

Any ideas? 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.