Hi,
I tried without changing the rule_id , but somewhere in the on the online docs
I got this idea to use the new rule ID, however now as you mentioned I ve
reverted back and to narrow the issue I m pasting the config entry in
local_rules.xml and the corresponding output from
/var/ossec/logs/alerts/alerts.log
This is the entry in local_rules.xml:
<rule id="18106" level="13" overwrite="yes">
<if_sid>18105</if_sid>
<id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id>
<description>Windows Logon Failure.</description>
<group>win_authentication_failed,</group>
</rule>
Then I tried with the invalid password to one of our windows agent and here is
the output from alerts.log
** Alert 1422888616.112065949: - windows,win_authentication_failed,
2015 Feb 02 14:50:16 (RZP_NA_PROD_RDP01) 10.0.0.6->WinEvtLog
Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.'
User: (no user)
2015 Feb 02 09:50:05 WinEvtLog: Security: AUDIT_FAILURE(4625):
Microsoft-Windows-Security-Auditing: (no user): no domain: RZPPROD-RDP01: An
account failed to log on. Subject: Security ID: S-1-0-0 Account Name: -
Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon
Failed: Security ID: S-1-0-0 Account Name: khoshalk Account Domain:
RZPPROD-RDP01 Failure Information: Failure Reason: %%2313 Status:
0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID:
0x0 Caller Process Name: - Network Information: Workstation Name: BG1NB189
Source Network Address: - Source Port: - Detailed Authentication
Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited
Services: - Package Name (NTLM only): - Key Length: 0 This event is
generated when a logon request fails. It is generated on the computer where
access was attempted.
Email alert level is set to 12 in ossec.conf and I ve restarted OSSEC after I
added to the local_rules.xml.
Can you please figure out where exactly Im going wrong with this,
Regards,
Khoshal AR
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of dan (ddp)
Sent: Monday, February 02, 2015 8:03 PM
To: [email protected]
Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not work
On Mon, Feb 2, 2015 at 9:24 AM, Khoshal A R.
<[email protected]> wrote:
> Hi,
> Thanx for quick response.
>
> These entries are not commented in local_rules.xml, here is one sample rule I
> am trying to modify the severity,
>
> <rule id="100111" level="13" overwrite="yes">
I don't have a 100111, can you provide your original rule with id 100111?
Or, are you misunderstanding the overwrite option? You should use
overwrite when there is a rule in the *_rules.xml files that come with
OSSEC that you want to modify. If you are creating a new rule, you
should not be using the overwrite option.
For example, if you wanted to change the level of rule 18105, you could use:
<rule id="18105" level="12" overwrite="yes">
<if_sid>18100</if_sid>
<status>^AUDIT_FAILURE|^failure</status>
<description>Windows audit failure event.</description>
</rule>
Notice how the "rule id" does not change, only the level and the
addition of the overwrite option.
> <if_sid>18105,18106,18116</if_sid>
> <match>illegal user|invalid user</match>
> <description>Attempt to login using a non-existent user</description>
> <group>invalid_login,authentication_failed,</group>
> </rule>
>
> Also , I am restarting OSSEC after every little change in the config files.If
> I set the mail alert to less than 12 I get the alerts correctly but as there
> are too many events Im flooded with mails hence I'm trying to increase the
> severity of few events like the one above mentioned.
>
> I'm also checking the /var/ossec/logs/alerts/alerts.log after I made the
> entry in local_rules.xml and restarted OSSEC, but alerts.log still gives the
> rule number in the msauth_rules.xml and not the rule number on
> local_rules.xml,
>
> Please let me know if you need more info,
>
> Regards,
> Khoshal AR
>
>
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On
> Behalf Of dan (ddp)
> Sent: Monday, February 02, 2015 7:31 PM
> To: [email protected]
> Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not work
>
> On Mon, Feb 2, 2015 at 8:57 AM, Khoshal A R.
> <[email protected]> wrote:
>> Hi,
>>
>> Can you please help me in what I m doing wrong in modifying the severity of
>> the rules that I m trying in local_rules.xml.
>>
>> OS : Kali-Linux
>>
>> OSSEC version : 2.8.1
>>
>>
>>
>> Please find the local_rules.xml file entries below for the overwrite:
>>
>> Everything else works , but I need to change the severity of certain rules
>> for the meaningful alerts and fine tune the frequency they are executed.
>>
>> Appreciate your help.
>>
>
> Are all of these rules commented out in the local_rules.xml file as well?
> Did you restart the OSSEC processes after making the changes?
> Do you have log samples that can be tested with ossec-logtest?
>
>>
>>
>>
>>
>>
>>
>> <rule id="100102" level="12" overwrite="yes">
>>
>> <if_sid>18104</if_sid>
>>
>> <id>^513$|^4609$</id>
>>
>> <description>Windows is shutting down.</description>
>>
>> <group>system_shutdown,</group>
>>
>> </rule>
>>
>> -->
>>
>>
>>
>> <!--
>>
>> <rule id="100103" level="13" overwrite="yes">
>>
>> <if_sid>18103</if_sid>
>>
>> <id>^13570$</id>
>>
>> <description>Windows file system full.</description>
>>
>> <group>low_diskspace,</group>
>>
>> </rule>
>>
>> -->
>>
>>
>>
>> <!--
>>
>> <rule id="100104" level="12" overwrite="yes">
>>
>> <if_sid>18100,18103</if_sid>
>>
>> <status>^ERROR</status>
>>
>> <description>Windows error event.</description>
>>
>> <group>system_error,</group>
>>
>> </rule>
>>
>> -->
>>
>>
>>
>> <!--
>>
>> <rule id="100105" level="12" overwrite="yes">
>>
>> <if_sid>18100,18105</if_sid>
>>
>> <status>^AUDIT_FAILURE|^failure</status>
>>
>> <description>Windows audit failure event.</description>
>>
>> </rule>
>>
>> -->
>>
>>
>>
>> </group> <!-- SYSLOG,LOCAL -->
>>
>>
>>
>> Regards,
>>
>> Khoshal AR
>>
>> Sonata Software Limited
>>
>>
>>
>>
>>
>> Disclaimer: "The materials contained in this email and any attachments may
>> contain confidential or legally privileged information. The information
>> contained in this communication is intended solely for the use of the
>> individual or entity to whom it is addressed and others authorized to
>> receive it. If you are not the intended recipient you are hereby notified
>> that any disclosure, copying, distribution or taking any action in reliance
>> on the contents of this information is strictly prohibited and may be
>> unlawful. If you have received this communication in error, please notify us
>> immediately by responding to this email and then delete it from your system.
>> Sonata is neither liable for the proper and complete transmission of the
>> information contained in this communication nor for any delay in its
>> receipt"
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
> Disclaimer: "The materials contained in this email and any attachments may
> contain confidential or legally privileged information. The information
> contained in this communication is intended solely for the use of the
> individual or entity to whom it is addressed and others authorized to receive
> it. If you are not the intended recipient you are hereby notified that any
> disclosure, copying, distribution or taking any action in reliance on the
> contents of this information is strictly prohibited and may be unlawful. If
> you have received this communication in error, please notify us immediately
> by responding to this email and then delete it from your system. Sonata is
> neither liable for the proper and complete transmission of the information
> contained in this communication nor for any delay in its receipt"
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
Disclaimer: "The materials contained in this email and any attachments may
contain confidential or legally privileged information. The information
contained in this communication is intended solely for the use of the
individual or entity to whom it is addressed and others authorized to receive
it. If you are not the intended recipient you are hereby notified that any
disclosure, copying, distribution or taking any action in reliance on the
contents of this information is strictly prohibited and may be unlawful. If you
have received this communication in error, please notify us immediately by
responding to this email and then delete it from your system. Sonata is neither
liable for the proper and complete transmission of the information contained in
this communication nor for any delay in its receipt"
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
