On Mon, Feb 2, 2015 at 9:24 AM, Khoshal A R. <[email protected]> wrote: > Hi, > Thanx for quick response. > > These entries are not commented in local_rules.xml, here is one sample rule I > am trying to modify the severity, > > <rule id="100111" level="13" overwrite="yes">
I don't have a 100111, can you provide your original rule with id 100111? Or, are you misunderstanding the overwrite option? You should use overwrite when there is a rule in the *_rules.xml files that come with OSSEC that you want to modify. If you are creating a new rule, you should not be using the overwrite option. For example, if you wanted to change the level of rule 18105, you could use: <rule id="18105" level="12" overwrite="yes"> <if_sid>18100</if_sid> <status>^AUDIT_FAILURE|^failure</status> <description>Windows audit failure event.</description> </rule> Notice how the "rule id" does not change, only the level and the addition of the overwrite option. > <if_sid>18105,18106,18116</if_sid> > <match>illegal user|invalid user</match> > <description>Attempt to login using a non-existent user</description> > <group>invalid_login,authentication_failed,</group> > </rule> > > Also , I am restarting OSSEC after every little change in the config files.If > I set the mail alert to less than 12 I get the alerts correctly but as there > are too many events Im flooded with mails hence I'm trying to increase the > severity of few events like the one above mentioned. > > I'm also checking the /var/ossec/logs/alerts/alerts.log after I made the > entry in local_rules.xml and restarted OSSEC, but alerts.log still gives the > rule number in the msauth_rules.xml and not the rule number on > local_rules.xml, > > Please let me know if you need more info, > > Regards, > Khoshal AR > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Monday, February 02, 2015 7:31 PM > To: [email protected] > Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not work > > On Mon, Feb 2, 2015 at 8:57 AM, Khoshal A R. > <[email protected]> wrote: >> Hi, >> >> Can you please help me in what I m doing wrong in modifying the severity of >> the rules that I m trying in local_rules.xml. >> >> OS : Kali-Linux >> >> OSSEC version : 2.8.1 >> >> >> >> Please find the local_rules.xml file entries below for the overwrite: >> >> Everything else works , but I need to change the severity of certain rules >> for the meaningful alerts and fine tune the frequency they are executed. >> >> Appreciate your help. >> > > Are all of these rules commented out in the local_rules.xml file as well? > Did you restart the OSSEC processes after making the changes? > Do you have log samples that can be tested with ossec-logtest? > >> >> >> >> >> >> >> <rule id="100102" level="12" overwrite="yes"> >> >> <if_sid>18104</if_sid> >> >> <id>^513$|^4609$</id> >> >> <description>Windows is shutting down.</description> >> >> <group>system_shutdown,</group> >> >> </rule> >> >> --> >> >> >> >> <!-- >> >> <rule id="100103" level="13" overwrite="yes"> >> >> <if_sid>18103</if_sid> >> >> <id>^13570$</id> >> >> <description>Windows file system full.</description> >> >> <group>low_diskspace,</group> >> >> </rule> >> >> --> >> >> >> >> <!-- >> >> <rule id="100104" level="12" overwrite="yes"> >> >> <if_sid>18100,18103</if_sid> >> >> <status>^ERROR</status> >> >> <description>Windows error event.</description> >> >> <group>system_error,</group> >> >> </rule> >> >> --> >> >> >> >> <!-- >> >> <rule id="100105" level="12" overwrite="yes"> >> >> <if_sid>18100,18105</if_sid> >> >> <status>^AUDIT_FAILURE|^failure</status> >> >> <description>Windows audit failure event.</description> >> >> </rule> >> >> --> >> >> >> >> </group> <!-- SYSLOG,LOCAL --> >> >> >> >> Regards, >> >> Khoshal AR >> >> Sonata Software Limited >> >> >> >> >> >> Disclaimer: "The materials contained in this email and any attachments may >> contain confidential or legally privileged information. The information >> contained in this communication is intended solely for the use of the >> individual or entity to whom it is addressed and others authorized to >> receive it. If you are not the intended recipient you are hereby notified >> that any disclosure, copying, distribution or taking any action in reliance >> on the contents of this information is strictly prohibited and may be >> unlawful. If you have received this communication in error, please notify us >> immediately by responding to this email and then delete it from your system. >> Sonata is neither liable for the proper and complete transmission of the >> information contained in this communication nor for any delay in its >> receipt" >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > Disclaimer: "The materials contained in this email and any attachments may > contain confidential or legally privileged information. The information > contained in this communication is intended solely for the use of the > individual or entity to whom it is addressed and others authorized to receive > it. If you are not the intended recipient you are hereby notified that any > disclosure, copying, distribution or taking any action in reliance on the > contents of this information is strictly prohibited and may be unlawful. If > you have received this communication in error, please notify us immediately > by responding to this email and then delete it from your system. Sonata is > neither liable for the proper and complete transmission of the information > contained in this communication nor for any delay in its receipt" > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
