On Mon, Feb 2, 2015 at 10:12 AM, Khoshal A R. <[email protected]> wrote: > Hi, > > No Please, I meant I ended up goin to some blog online and I tried that > solution, not on the OSSEC documentation, definitely not. > > Can you please help on noticing where I'm going wrong on the below > configuration. >
Besides that I already pointed out? Try changing the level for the rule that's being triggered, if that's your final goal. > Regards, > Khoshal AR > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Monday, February 02, 2015 8:36 PM > To: [email protected] > Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not work > > On Mon, Feb 2, 2015 at 9:59 AM, Khoshal A R. > <[email protected]> wrote: >> Hi, >> >> I tried without changing the rule_id , but somewhere in the on the online >> docs I got this idea to use the new rule ID, however now as you mentioned I >> ve reverted back and to narrow the issue I m pasting the config entry in >> local_rules.xml and the corresponding output from >> /var/ossec/logs/alerts/alerts.log >> > > If you figure out what part of the documentation gave you that idea, > let me know and I'll try to make it more clear. > >> This is the entry in local_rules.xml: >> >> <rule id="18106" level="13" overwrite="yes"> >> <if_sid>18105</if_sid> >> >> <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id> >> <description>Windows Logon Failure.</description> >> <group>win_authentication_failed,</group> >> </rule> >> >> Then I tried with the invalid password to one of our windows agent and here >> is the output from alerts.log >> >> ** Alert 1422888616.112065949: - windows,win_authentication_failed, >> 2015 Feb 02 14:50:16 (RZP_NA_PROD_RDP01) 10.0.0.6->WinEvtLog >> Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.' > > The rule you modified is 18106, this log message triggers 18138. I > don't see anything in 18138 that would be affected by the change in > 18106. I'm not very confused as to what you're trying to do, because > this doesn't really make much sense. > >> User: (no user) >> 2015 Feb 02 09:50:05 WinEvtLog: Security: AUDIT_FAILURE(4625): >> Microsoft-Windows-Security-Auditing: (no user): no domain: RZPPROD-RDP01: An >> account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - >> Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon >> Failed: Security ID: S-1-0-0 Account Name: khoshalk Account Domain: >> RZPPROD-RDP01 Failure Information: Failure Reason: %%2313 Status: >> 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process >> ID: 0x0 Caller Process Name: - Network Information: Workstation Name: >> BG1NB189 Source Network Address: - Source Port: - Detailed >> Authentication Information: Logon Process: NtLmSsp Authentication >> Package: NTLM Transited Services: - Package Name (NTLM only): - Key >> Length: 0 This event is generated when a logon request fails. It is >> generated on the computer where access was attempted. >> >> Email alert level is set to 12 in ossec.conf and I ve restarted OSSEC after >> I added to the local_rules.xml. >> >> Can you please figure out where exactly Im going wrong with this, >> >> Regards, >> Khoshal AR >> >> >> >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of dan (ddp) >> Sent: Monday, February 02, 2015 8:03 PM >> To: [email protected] >> Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not work >> >> On Mon, Feb 2, 2015 at 9:24 AM, Khoshal A R. >> <[email protected]> wrote: >>> Hi, >>> Thanx for quick response. >>> >>> These entries are not commented in local_rules.xml, here is one sample rule >>> I am trying to modify the severity, >>> >>> <rule id="100111" level="13" overwrite="yes"> >> >> I don't have a 100111, can you provide your original rule with id 100111? >> Or, are you misunderstanding the overwrite option? You should use >> overwrite when there is a rule in the *_rules.xml files that come with >> OSSEC that you want to modify. If you are creating a new rule, you >> should not be using the overwrite option. >> For example, if you wanted to change the level of rule 18105, you could use: >> >> <rule id="18105" level="12" overwrite="yes"> >> <if_sid>18100</if_sid> >> <status>^AUDIT_FAILURE|^failure</status> >> <description>Windows audit failure event.</description> >> </rule> >> >> Notice how the "rule id" does not change, only the level and the >> addition of the overwrite option. >> >>> <if_sid>18105,18106,18116</if_sid> >>> <match>illegal user|invalid user</match> >>> <description>Attempt to login using a non-existent user</description> >>> <group>invalid_login,authentication_failed,</group> >>> </rule> >>> >>> Also , I am restarting OSSEC after every little change in the config >>> files.If I set the mail alert to less than 12 I get the alerts correctly >>> but as there are too many events Im flooded with mails hence I'm trying to >>> increase the severity of few events like the one above mentioned. >>> >>> I'm also checking the /var/ossec/logs/alerts/alerts.log after I made the >>> entry in local_rules.xml and restarted OSSEC, but alerts.log still gives >>> the rule number in the msauth_rules.xml and not the rule number on >>> local_rules.xml, >>> >>> Please let me know if you need more info, >>> >>> Regards, >>> Khoshal AR >>> >>> >>> >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] On >>> Behalf Of dan (ddp) >>> Sent: Monday, February 02, 2015 7:31 PM >>> To: [email protected] >>> Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not work >>> >>> On Mon, Feb 2, 2015 at 8:57 AM, Khoshal A R. >>> <[email protected]> wrote: >>>> Hi, >>>> >>>> Can you please help me in what I m doing wrong in modifying the severity of >>>> the rules that I m trying in local_rules.xml. >>>> >>>> OS : Kali-Linux >>>> >>>> OSSEC version : 2.8.1 >>>> >>>> >>>> >>>> Please find the local_rules.xml file entries below for the overwrite: >>>> >>>> Everything else works , but I need to change the severity of certain rules >>>> for the meaningful alerts and fine tune the frequency they are executed. >>>> >>>> Appreciate your help. >>>> >>> >>> Are all of these rules commented out in the local_rules.xml file as well? >>> Did you restart the OSSEC processes after making the changes? >>> Do you have log samples that can be tested with ossec-logtest? >>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> <rule id="100102" level="12" overwrite="yes"> >>>> >>>> <if_sid>18104</if_sid> >>>> >>>> <id>^513$|^4609$</id> >>>> >>>> <description>Windows is shutting down.</description> >>>> >>>> <group>system_shutdown,</group> >>>> >>>> </rule> >>>> >>>> --> >>>> >>>> >>>> >>>> <!-- >>>> >>>> <rule id="100103" level="13" overwrite="yes"> >>>> >>>> <if_sid>18103</if_sid> >>>> >>>> <id>^13570$</id> >>>> >>>> <description>Windows file system full.</description> >>>> >>>> <group>low_diskspace,</group> >>>> >>>> </rule> >>>> >>>> --> >>>> >>>> >>>> >>>> <!-- >>>> >>>> <rule id="100104" level="12" overwrite="yes"> >>>> >>>> <if_sid>18100,18103</if_sid> >>>> >>>> <status>^ERROR</status> >>>> >>>> <description>Windows error event.</description> >>>> >>>> <group>system_error,</group> >>>> >>>> </rule> >>>> >>>> --> >>>> >>>> >>>> >>>> <!-- >>>> >>>> <rule id="100105" level="12" overwrite="yes"> >>>> >>>> <if_sid>18100,18105</if_sid> >>>> >>>> <status>^AUDIT_FAILURE|^failure</status> >>>> >>>> <description>Windows audit failure event.</description> >>>> >>>> </rule> >>>> >>>> --> >>>> >>>> >>>> >>>> </group> <!-- SYSLOG,LOCAL --> >>>> >>>> >>>> >>>> Regards, >>>> >>>> Khoshal AR >>>> >>>> Sonata Software Limited >>>> >>>> >>>> >>>> >>>> >>>> Disclaimer: "The materials contained in this email and any attachments may >>>> contain confidential or legally privileged information. The information >>>> contained in this communication is intended solely for the use of the >>>> individual or entity to whom it is addressed and others authorized to >>>> receive it. If you are not the intended recipient you are hereby notified >>>> that any disclosure, copying, distribution or taking any action in reliance >>>> on the contents of this information is strictly prohibited and may be >>>> unlawful. If you have received this communication in error, please notify >>>> us >>>> immediately by responding to this email and then delete it from your >>>> system. >>>> Sonata is neither liable for the proper and complete transmission of the >>>> information contained in this communication nor for any delay in its >>>> receipt" >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> Disclaimer: "The materials contained in this email and any attachments may >>> contain confidential or legally privileged information. The information >>> contained in this communication is intended solely for the use of the >>> individual or entity to whom it is addressed and others authorized to >>> receive it. If you are not the intended recipient you are hereby notified >>> that any disclosure, copying, distribution or taking any action in reliance >>> on the contents of this information is strictly prohibited and may be >>> unlawful. If you have received this communication in error, please notify >>> us immediately by responding to this email and then delete it from your >>> system. Sonata is neither liable for the proper and complete transmission >>> of the information contained in this communication nor for any delay in its >>> receipt" >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> Disclaimer: "The materials contained in this email and any attachments may >> contain confidential or legally privileged information. The information >> contained in this communication is intended solely for the use of the >> individual or entity to whom it is addressed and others authorized to >> receive it. If you are not the intended recipient you are hereby notified >> that any disclosure, copying, distribution or taking any action in reliance >> on the contents of this information is strictly prohibited and may be >> unlawful. If you have received this communication in error, please notify us >> immediately by responding to this email and then delete it from your system. >> Sonata is neither liable for the proper and complete transmission of the >> information contained in this communication nor for any delay in its receipt" >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > Disclaimer: "The materials contained in this email and any attachments may > contain confidential or legally privileged information. The information > contained in this communication is intended solely for the use of the > individual or entity to whom it is addressed and others authorized to receive > it. If you are not the intended recipient you are hereby notified that any > disclosure, copying, distribution or taking any action in reliance on the > contents of this information is strictly prohibited and may be unlawful. If > you have received this communication in error, please notify us immediately > by responding to this email and then delete it from your system. Sonata is > neither liable for the proper and complete transmission of the information > contained in this communication nor for any delay in its receipt" > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
