On Mon, Feb 2, 2015 at 10:16 AM, dan (ddp) <[email protected]> wrote: > On Mon, Feb 2, 2015 at 10:12 AM, Khoshal A R. > <[email protected]> wrote: >> Hi, >> >> No Please, I meant I ended up goin to some blog online and I tried that >> solution, not on the OSSEC documentation, definitely not. >> >> Can you please help on noticing where I'm going wrong on the below >> configuration. >> > > > Besides that I already pointed out? Try changing the level for the > rule that's being triggered, if that's your final goal. >
If you're trying to modify the level of the alert that you posted, try this: <rule id="18138" level="12" overwrite="yes"> <if_sid>18106</if_sid> <id>^539$|^4625$</id> <description>Logon Failure - Account locked out.</description> <group>win_authentication_failed,</group> </rule> >> Regards, >> Khoshal AR >> >> >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of dan (ddp) >> Sent: Monday, February 02, 2015 8:36 PM >> To: [email protected] >> Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not work >> >> On Mon, Feb 2, 2015 at 9:59 AM, Khoshal A R. >> <[email protected]> wrote: >>> Hi, >>> >>> I tried without changing the rule_id , but somewhere in the on the online >>> docs I got this idea to use the new rule ID, however now as you mentioned I >>> ve reverted back and to narrow the issue I m pasting the config entry in >>> local_rules.xml and the corresponding output from >>> /var/ossec/logs/alerts/alerts.log >>> >> >> If you figure out what part of the documentation gave you that idea, >> let me know and I'll try to make it more clear. >> >>> This is the entry in local_rules.xml: >>> >>> <rule id="18106" level="13" overwrite="yes"> >>> <if_sid>18105</if_sid> >>> >>> <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id> >>> <description>Windows Logon Failure.</description> >>> <group>win_authentication_failed,</group> >>> </rule> >>> >>> Then I tried with the invalid password to one of our windows agent and here >>> is the output from alerts.log >>> >>> ** Alert 1422888616.112065949: - windows,win_authentication_failed, >>> 2015 Feb 02 14:50:16 (RZP_NA_PROD_RDP01) 10.0.0.6->WinEvtLog >>> Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.' >> >> The rule you modified is 18106, this log message triggers 18138. I >> don't see anything in 18138 that would be affected by the change in >> 18106. I'm not very confused as to what you're trying to do, because >> this doesn't really make much sense. >> >>> User: (no user) >>> 2015 Feb 02 09:50:05 WinEvtLog: Security: AUDIT_FAILURE(4625): >>> Microsoft-Windows-Security-Auditing: (no user): no domain: RZPPROD-RDP01: >>> An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: >>> - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which >>> Logon Failed: Security ID: S-1-0-0 Account Name: khoshalk Account >>> Domain: RZPPROD-RDP01 Failure Information: Failure Reason: %%2313 >>> Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller >>> Process ID: 0x0 Caller Process Name: - Network Information: Workstation >>> Name: BG1NB189 Source Network Address: - Source Port: - Detailed >>> Authentication Information: Logon Process: NtLmSsp Authentication >>> Package: NTLM Transited Services: - Package Name (NTLM only): - Key >>> Length: 0 This event is generated when a logon request fails. It is >>> generated on the computer where access was attempted. >>> >>> Email alert level is set to 12 in ossec.conf and I ve restarted OSSEC after >>> I added to the local_rules.xml. >>> >>> Can you please figure out where exactly Im going wrong with this, >>> >>> Regards, >>> Khoshal AR >>> >>> >>> >>> >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] On >>> Behalf Of dan (ddp) >>> Sent: Monday, February 02, 2015 8:03 PM >>> To: [email protected] >>> Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not work >>> >>> On Mon, Feb 2, 2015 at 9:24 AM, Khoshal A R. >>> <[email protected]> wrote: >>>> Hi, >>>> Thanx for quick response. >>>> >>>> These entries are not commented in local_rules.xml, here is one sample >>>> rule I am trying to modify the severity, >>>> >>>> <rule id="100111" level="13" overwrite="yes"> >>> >>> I don't have a 100111, can you provide your original rule with id 100111? >>> Or, are you misunderstanding the overwrite option? You should use >>> overwrite when there is a rule in the *_rules.xml files that come with >>> OSSEC that you want to modify. If you are creating a new rule, you >>> should not be using the overwrite option. >>> For example, if you wanted to change the level of rule 18105, you could use: >>> >>> <rule id="18105" level="12" overwrite="yes"> >>> <if_sid>18100</if_sid> >>> <status>^AUDIT_FAILURE|^failure</status> >>> <description>Windows audit failure event.</description> >>> </rule> >>> >>> Notice how the "rule id" does not change, only the level and the >>> addition of the overwrite option. >>> >>>> <if_sid>18105,18106,18116</if_sid> >>>> <match>illegal user|invalid user</match> >>>> <description>Attempt to login using a non-existent user</description> >>>> <group>invalid_login,authentication_failed,</group> >>>> </rule> >>>> >>>> Also , I am restarting OSSEC after every little change in the config >>>> files.If I set the mail alert to less than 12 I get the alerts correctly >>>> but as there are too many events Im flooded with mails hence I'm trying to >>>> increase the severity of few events like the one above mentioned. >>>> >>>> I'm also checking the /var/ossec/logs/alerts/alerts.log after I made the >>>> entry in local_rules.xml and restarted OSSEC, but alerts.log still gives >>>> the rule number in the msauth_rules.xml and not the rule number on >>>> local_rules.xml, >>>> >>>> Please let me know if you need more info, >>>> >>>> Regards, >>>> Khoshal AR >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: [email protected] [mailto:[email protected]] On >>>> Behalf Of dan (ddp) >>>> Sent: Monday, February 02, 2015 7:31 PM >>>> To: [email protected] >>>> Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not >>>> work >>>> >>>> On Mon, Feb 2, 2015 at 8:57 AM, Khoshal A R. >>>> <[email protected]> wrote: >>>>> Hi, >>>>> >>>>> Can you please help me in what I m doing wrong in modifying the severity >>>>> of >>>>> the rules that I m trying in local_rules.xml. >>>>> >>>>> OS : Kali-Linux >>>>> >>>>> OSSEC version : 2.8.1 >>>>> >>>>> >>>>> >>>>> Please find the local_rules.xml file entries below for the overwrite: >>>>> >>>>> Everything else works , but I need to change the severity of certain rules >>>>> for the meaningful alerts and fine tune the frequency they are executed. >>>>> >>>>> Appreciate your help. >>>>> >>>> >>>> Are all of these rules commented out in the local_rules.xml file as well? >>>> Did you restart the OSSEC processes after making the changes? >>>> Do you have log samples that can be tested with ossec-logtest? >>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> <rule id="100102" level="12" overwrite="yes"> >>>>> >>>>> <if_sid>18104</if_sid> >>>>> >>>>> <id>^513$|^4609$</id> >>>>> >>>>> <description>Windows is shutting down.</description> >>>>> >>>>> <group>system_shutdown,</group> >>>>> >>>>> </rule> >>>>> >>>>> --> >>>>> >>>>> >>>>> >>>>> <!-- >>>>> >>>>> <rule id="100103" level="13" overwrite="yes"> >>>>> >>>>> <if_sid>18103</if_sid> >>>>> >>>>> <id>^13570$</id> >>>>> >>>>> <description>Windows file system full.</description> >>>>> >>>>> <group>low_diskspace,</group> >>>>> >>>>> </rule> >>>>> >>>>> --> >>>>> >>>>> >>>>> >>>>> <!-- >>>>> >>>>> <rule id="100104" level="12" overwrite="yes"> >>>>> >>>>> <if_sid>18100,18103</if_sid> >>>>> >>>>> <status>^ERROR</status> >>>>> >>>>> <description>Windows error event.</description> >>>>> >>>>> <group>system_error,</group> >>>>> >>>>> </rule> >>>>> >>>>> --> >>>>> >>>>> >>>>> >>>>> <!-- >>>>> >>>>> <rule id="100105" level="12" overwrite="yes"> >>>>> >>>>> <if_sid>18100,18105</if_sid> >>>>> >>>>> <status>^AUDIT_FAILURE|^failure</status> >>>>> >>>>> <description>Windows audit failure event.</description> >>>>> >>>>> </rule> >>>>> >>>>> --> >>>>> >>>>> >>>>> >>>>> </group> <!-- SYSLOG,LOCAL --> >>>>> >>>>> >>>>> >>>>> Regards, >>>>> >>>>> Khoshal AR >>>>> >>>>> Sonata Software Limited >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> Disclaimer: "The materials contained in this email and any attachments may >>>>> contain confidential or legally privileged information. The information >>>>> contained in this communication is intended solely for the use of the >>>>> individual or entity to whom it is addressed and others authorized to >>>>> receive it. If you are not the intended recipient you are hereby notified >>>>> that any disclosure, copying, distribution or taking any action in >>>>> reliance >>>>> on the contents of this information is strictly prohibited and may be >>>>> unlawful. If you have received this communication in error, please notify >>>>> us >>>>> immediately by responding to this email and then delete it from your >>>>> system. >>>>> Sonata is neither liable for the proper and complete transmission of the >>>>> information contained in this communication nor for any delay in its >>>>> receipt" >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google Groups >>>>> "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send an >>>>> email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> Disclaimer: "The materials contained in this email and any attachments may >>>> contain confidential or legally privileged information. The information >>>> contained in this communication is intended solely for the use of the >>>> individual or entity to whom it is addressed and others authorized to >>>> receive it. If you are not the intended recipient you are hereby notified >>>> that any disclosure, copying, distribution or taking any action in >>>> reliance on the contents of this information is strictly prohibited and >>>> may be unlawful. If you have received this communication in error, please >>>> notify us immediately by responding to this email and then delete it from >>>> your system. Sonata is neither liable for the proper and complete >>>> transmission of the information contained in this communication nor for >>>> any delay in its receipt" >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> Disclaimer: "The materials contained in this email and any attachments may >>> contain confidential or legally privileged information. The information >>> contained in this communication is intended solely for the use of the >>> individual or entity to whom it is addressed and others authorized to >>> receive it. If you are not the intended recipient you are hereby notified >>> that any disclosure, copying, distribution or taking any action in reliance >>> on the contents of this information is strictly prohibited and may be >>> unlawful. If you have received this communication in error, please notify >>> us immediately by responding to this email and then delete it from your >>> system. Sonata is neither liable for the proper and complete transmission >>> of the information contained in this communication nor for any delay in its >>> receipt" >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> Disclaimer: "The materials contained in this email and any attachments may >> contain confidential or legally privileged information. The information >> contained in this communication is intended solely for the use of the >> individual or entity to whom it is addressed and others authorized to >> receive it. If you are not the intended recipient you are hereby notified >> that any disclosure, copying, distribution or taking any action in reliance >> on the contents of this information is strictly prohibited and may be >> unlawful. If you have received this communication in error, please notify us >> immediately by responding to this email and then delete it from your system. >> Sonata is neither liable for the proper and complete transmission of the >> information contained in this communication nor for any delay in its receipt" >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
