RE: [ossec-list] overwrite rules from Local_rules.xml does not work

[Khoshal A R .]

Hi,
I appreciate your patience on this and thank you, I changed the level on 
msauth_rules.xml and the alerts are working fine , but I have one issue here, 
which is If I set the frequency and timeframe on the same file for the rule 
,and OSSEC fails to start. All Im trying to do is change both frequency and 
level of a rule and get the OSSEC started.

Below is the Change I made in msauth_rules.xml which makes OSSEC fail to start:

<rule id="18105" level="12" frequency="3" timeframe="120" >
    <if_sid>18100</if_sid>
    <status>^AUDIT_FAILURE|^failure</status>
    <description>Windows audit failure event.</description>
  </rule>

However If I remove : frequency="3" timeframe="120" and enter the below it 
works fine:

<rule id="18105" level="12">
    <if_sid>18100</if_sid>
    <status>^AUDIT_FAILURE|^failure</status>
    <description>Windows audit failure event.</description>
  </rule>


Regards,
Khoshal AR




-----Original Message-----
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
Behalf Of dan (ddp)
Sent: Monday, February 02, 2015 8:54 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not work

On Mon, Feb 2, 2015 at 10:16 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Mon, Feb 2, 2015 at 10:12 AM, Khoshal A R.
> <khoshal...@sonata-software.com> wrote:
>> Hi,
>>
>> No Please, I meant I ended up goin to some blog online and I tried that 
>> solution, not on the OSSEC documentation, definitely not.
>>
>> Can you please help on noticing where I'm going wrong on the below 
>> configuration.
>>
>
>
> Besides that I already pointed out? Try changing the level for the
> rule that's being triggered, if that's your final goal.
>

If you're trying to modify the level of the alert that you posted, try this:

<rule id="18138" level="12" overwrite="yes">
<if_sid>18106</if_sid>
<id>^539$|^4625$</id>
<description>Logon Failure - Account locked out.</description>
<group>win_authentication_failed,</group>
</rule>




>> Regards,
>> Khoshal AR
>>
>>
>>
>> -----Original Message-----
>> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
>> Behalf Of dan (ddp)
>> Sent: Monday, February 02, 2015 8:36 PM
>> To: ossec-list@googlegroups.com
>> Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not work
>>
>> On Mon, Feb 2, 2015 at 9:59 AM, Khoshal A R.
>> <khoshal...@sonata-software.com> wrote:
>>> Hi,
>>>
>>> I tried without changing the rule_id , but somewhere in the on the online 
>>> docs I got this idea to use the new rule ID, however now as you mentioned I 
>>> ve reverted back and to narrow the issue I m pasting the config entry in 
>>> local_rules.xml and the corresponding output from 
>>> /var/ossec/logs/alerts/alerts.log
>>>
>>
>> If you figure out what part of the documentation gave you that idea,
>> let me know and I'll try to make it more clear.
>>
>>> This is the entry in local_rules.xml:
>>>
>>> <rule id="18106" level="13" overwrite="yes">
>>>     <if_sid>18105</if_sid>
>>>     
>>> <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id>
>>>     <description>Windows Logon Failure.</description>
>>>     <group>win_authentication_failed,</group>
>>>   </rule>
>>>
>>> Then I tried with the invalid password to one of our windows agent and here 
>>> is the output from alerts.log
>>>
>>> ** Alert 1422888616.112065949: - windows,win_authentication_failed,
>>> 2015 Feb 02 14:50:16 (RZP_NA_PROD_RDP01) 10.0.0.6->WinEvtLog
>>> Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.'
>>
>> The rule you modified is 18106, this log message triggers 18138. I
>> don't see anything in 18138 that would be affected by the change in
>> 18106. I'm not very confused as to what you're trying to do, because
>> this doesn't really make much sense.
>>
>>> User: (no user)
>>> 2015 Feb 02 09:50:05 WinEvtLog: Security: AUDIT_FAILURE(4625): 
>>> Microsoft-Windows-Security-Auditing: (no user): no domain: RZPPROD-RDP01: 
>>> An account failed to log on. Subject:  Security ID:  S-1-0-0  Account Name: 
>>>  -  Account Domain:  -  Logon ID:  0x0  Logon Type:   3  Account For Which 
>>> Logon Failed:  Security ID:  S-1-0-0  Account Name:  khoshalk  Account 
>>> Domain:  RZPPROD-RDP01  Failure Information:  Failure Reason:  %%2313  
>>> Status:   0xc000006d  Sub Status:  0xc0000064  Process Information:  Caller 
>>> Process ID: 0x0  Caller Process Name: -  Network Information:  Workstation 
>>> Name: BG1NB189  Source Network Address: -  Source Port:  -  Detailed 
>>> Authentication Information:  Logon Process:  NtLmSsp   Authentication 
>>> Package: NTLM  Transited Services: -  Package Name (NTLM only): -  Key 
>>> Length:  0  This event is generated when a logon request fails. It is 
>>> generated on the computer where access was attempted.
>>>
>>> Email alert level is set to 12 in ossec.conf and I ve restarted OSSEC after 
>>> I added to the local_rules.xml.
>>>
>>> Can you please figure out where exactly Im going wrong with this,
>>>
>>> Regards,
>>> Khoshal AR
>>>
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
>>> Behalf Of dan (ddp)
>>> Sent: Monday, February 02, 2015 8:03 PM
>>> To: ossec-list@googlegroups.com
>>> Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not work
>>>
>>> On Mon, Feb 2, 2015 at 9:24 AM, Khoshal A R.
>>> <khoshal...@sonata-software.com> wrote:
>>>> Hi,
>>>> Thanx for quick response.
>>>>
>>>> These entries are not commented in local_rules.xml, here is one sample 
>>>> rule I am trying to modify the severity,
>>>>
>>>> <rule id="100111" level="13" overwrite="yes">
>>>
>>> I don't have a 100111, can you provide your original rule with id 100111?
>>> Or, are you misunderstanding the overwrite option? You should use
>>> overwrite when there is a rule in the *_rules.xml files that come with
>>> OSSEC that you want to modify. If you are creating a new rule, you
>>> should not be using the overwrite option.
>>> For example, if you wanted to change the level of rule 18105, you could use:
>>>
>>> <rule id="18105" level="12" overwrite="yes">
>>>   <if_sid>18100</if_sid>
>>>   <status>^AUDIT_FAILURE|^failure</status>
>>>   <description>Windows audit failure event.</description>
>>> </rule>
>>>
>>> Notice how the "rule id" does not change, only the level and the
>>> addition of the overwrite option.
>>>
>>>>     <if_sid>18105,18106,18116</if_sid>
>>>>     <match>illegal user|invalid user</match>
>>>>     <description>Attempt to login using a non-existent user</description>
>>>>     <group>invalid_login,authentication_failed,</group>
>>>>   </rule>
>>>>
>>>> Also , I am restarting OSSEC after every little change in the config 
>>>> files.If I set the mail alert to less than 12 I get the alerts correctly 
>>>> but as there are too many events Im flooded with mails hence I'm trying to 
>>>> increase the severity of few events like the one above mentioned.
>>>>
>>>> I'm also checking the /var/ossec/logs/alerts/alerts.log after I made the 
>>>> entry in local_rules.xml and restarted OSSEC, but alerts.log still gives 
>>>> the rule number in the msauth_rules.xml and not the rule number on 
>>>> local_rules.xml,
>>>>
>>>> Please let me know if you need more info,
>>>>
>>>> Regards,
>>>> Khoshal AR
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
>>>> Behalf Of dan (ddp)
>>>> Sent: Monday, February 02, 2015 7:31 PM
>>>> To: ossec-list@googlegroups.com
>>>> Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not 
>>>> work
>>>>
>>>> On Mon, Feb 2, 2015 at 8:57 AM, Khoshal A R.
>>>> <khoshal...@sonata-software.com> wrote:
>>>>> Hi,
>>>>>
>>>>> Can you please help me in what I m doing wrong in modifying the severity 
>>>>> of
>>>>> the rules that I m trying in local_rules.xml.
>>>>>
>>>>> OS : Kali-Linux
>>>>>
>>>>> OSSEC version : 2.8.1
>>>>>
>>>>>
>>>>>
>>>>> Please find the local_rules.xml file entries below for the overwrite:
>>>>>
>>>>> Everything else works , but I need to change the severity of certain rules
>>>>> for the meaningful alerts and fine tune the frequency they are executed.
>>>>>
>>>>> Appreciate your help.
>>>>>
>>>>
>>>> Are all of these rules commented out in the local_rules.xml file as well?
>>>> Did you restart the OSSEC processes after making the changes?
>>>> Do you have log samples that can be tested with ossec-logtest?
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> <rule id="100102" level="12" overwrite="yes">
>>>>>
>>>>>     <if_sid>18104</if_sid>
>>>>>
>>>>>     <id>^513$|^4609$</id>
>>>>>
>>>>>     <description>Windows is shutting down.</description>
>>>>>
>>>>>     <group>system_shutdown,</group>
>>>>>
>>>>>   </rule>
>>>>>
>>>>>  -->
>>>>>
>>>>>
>>>>>
>>>>>  <!--
>>>>>
>>>>> <rule id="100103" level="13" overwrite="yes">
>>>>>
>>>>>     <if_sid>18103</if_sid>
>>>>>
>>>>>     <id>^13570$</id>
>>>>>
>>>>>     <description>Windows file system full.</description>
>>>>>
>>>>>     <group>low_diskspace,</group>
>>>>>
>>>>>   </rule>
>>>>>
>>>>>   -->
>>>>>
>>>>>
>>>>>
>>>>>  <!--
>>>>>
>>>>> <rule id="100104" level="12" overwrite="yes">
>>>>>
>>>>> <if_sid>18100,18103</if_sid>
>>>>>
>>>>> <status>^ERROR</status>
>>>>>
>>>>> <description>Windows error event.</description>
>>>>>
>>>>> <group>system_error,</group>
>>>>>
>>>>> </rule>
>>>>>
>>>>>  -->
>>>>>
>>>>>
>>>>>
>>>>>  <!--
>>>>>
>>>>> <rule id="100105" level="12" overwrite="yes">
>>>>>
>>>>>  <if_sid>18100,18105</if_sid>
>>>>>
>>>>>     <status>^AUDIT_FAILURE|^failure</status>
>>>>>
>>>>>     <description>Windows audit failure event.</description>
>>>>>
>>>>>   </rule>
>>>>>
>>>>>  -->
>>>>>
>>>>>
>>>>>
>>>>> </group> <!-- SYSLOG,LOCAL -->
>>>>>
>>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>> Khoshal AR
>>>>>
>>>>> Sonata Software Limited
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Disclaimer: "The materials contained in this email and any attachments may
>>>>> contain confidential or legally privileged information. The information
>>>>> contained in this communication is intended solely for the use of the
>>>>> individual or entity to whom it is addressed and others authorized to
>>>>> receive it. If you are not the intended recipient you are hereby notified
>>>>> that any disclosure, copying, distribution or taking any action in 
>>>>> reliance
>>>>> on the contents of this information is strictly prohibited and may be
>>>>> unlawful. If you have received this communication in error, please notify 
>>>>> us
>>>>> immediately by responding to this email and then delete it from your 
>>>>> system.
>>>>> Sonata is neither liable for the proper and complete transmission of the
>>>>> information contained in this communication nor for any delay in its
>>>>> receipt"
>>>>>
>>>>> --
>>>>>
>>>>> ---
>>>>> You received this message because you are subscribed to the Google Groups
>>>>> "ossec-list" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send an
>>>>> email to ossec-list+unsubscr...@googlegroups.com.
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google Groups 
>>>> "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send an 
>>>> email to ossec-list+unsubscr...@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>> Disclaimer: "The materials contained in this email and any attachments may 
>>>> contain confidential or legally privileged information. The information 
>>>> contained in this communication is intended solely for the use of the 
>>>> individual or entity to whom it is addressed and others authorized to 
>>>> receive it. If you are not the intended recipient you are hereby notified 
>>>> that any disclosure, copying, distribution or taking any action in 
>>>> reliance on the contents of this information is strictly prohibited and 
>>>> may be unlawful. If you have received this communication in error, please 
>>>> notify us immediately by responding to this email and then delete it from 
>>>> your system. Sonata is neither liable for the proper and complete 
>>>> transmission of the information contained in this communication nor for 
>>>> any delay in its receipt"
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google Groups 
>>>> "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send an 
>>>> email to ossec-list+unsubscr...@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups 
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an 
>>> email to ossec-list+unsubscr...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>> Disclaimer: "The materials contained in this email and any attachments may 
>>> contain confidential or legally privileged information. The information 
>>> contained in this communication is intended solely for the use of the 
>>> individual or entity to whom it is addressed and others authorized to 
>>> receive it. If you are not the intended recipient you are hereby notified 
>>> that any disclosure, copying, distribution or taking any action in reliance 
>>> on the contents of this information is strictly prohibited and may be 
>>> unlawful. If you have received this communication in error, please notify 
>>> us immediately by responding to this email and then delete it from your 
>>> system. Sonata is neither liable for the proper and complete transmission 
>>> of the information contained in this communication nor for any delay in its 
>>> receipt"
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups 
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an 
>>> email to ossec-list+unsubscr...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>> Disclaimer: "The materials contained in this email and any attachments may 
>> contain confidential or legally privileged information. The information 
>> contained in this communication is intended solely for the use of the 
>> individual or entity to whom it is addressed and others authorized to 
>> receive it. If you are not the intended recipient you are hereby notified 
>> that any disclosure, copying, distribution or taking any action in reliance 
>> on the contents of this information is strictly prohibited and may be 
>> unlawful. If you have received this communication in error, please notify us 
>> immediately by responding to this email and then delete it from your system. 
>> Sonata is neither liable for the proper and complete transmission of the 
>> information contained in this communication nor for any delay in its receipt"
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Disclaimer: "The materials contained in this email and any attachments may 
contain confidential or legally privileged information. The information 
contained in this communication is intended solely for the use of the 
individual or entity to whom it is addressed and others authorized to receive 
it. If you are not the intended recipient you are hereby notified that any 
disclosure, copying, distribution or taking any action in reliance on the 
contents of this information is strictly prohibited and may be unlawful. If you 
have received this communication in error, please notify us immediately by 
responding to this email and then delete it from your system. Sonata is neither 
liable for the proper and complete transmission of the information contained in 
this communication nor for any delay in its receipt"

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.