On Mon, Feb 2, 2015 at 10:47 AM, dan (ddp) <[email protected]> wrote: > On Mon, Feb 2, 2015 at 10:32 AM, Khoshal A R. > <[email protected]> wrote: >> Hi, >> I appreciate your patience on this and thank you, I changed the level on >> msauth_rules.xml and the alerts are working fine , but I have one issue >> here, which is If I set the frequency and timeframe on the same file for the >> rule ,and OSSEC fails to start. All Im trying to do is change both frequency >> and level of a rule and get the OSSEC started. >> > > Making changes in msauth_rules.xml is a bad idea. The changes you make > will be overwritten during an upgrade. > >> Below is the Change I made in msauth_rules.xml which makes OSSEC fail to >> start: >> >> <rule id="18105" level="12" frequency="3" timeframe="120" > >> <if_sid>18100</if_sid> >> <status>^AUDIT_FAILURE|^failure</status> >> <description>Windows audit failure event.</description> >> </rule> >> > > You want <if_matched> instead of <if_sid>. Running `ossec-logtest -t` > should provide you with the errors you're getting, or you can look in > the ossec.log. >
OOPS, that should be if_matched_sid. >> However If I remove : frequency="3" timeframe="120" and enter the below it >> works fine: >> >> <rule id="18105" level="12"> >> <if_sid>18100</if_sid> >> <status>^AUDIT_FAILURE|^failure</status> >> <description>Windows audit failure event.</description> >> </rule> >> >> >> Regards, >> Khoshal AR >> >> >> >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of dan (ddp) >> Sent: Monday, February 02, 2015 8:54 PM >> To: [email protected] >> Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not work >> >> On Mon, Feb 2, 2015 at 10:16 AM, dan (ddp) <[email protected]> wrote: >>> On Mon, Feb 2, 2015 at 10:12 AM, Khoshal A R. >>> <[email protected]> wrote: >>>> Hi, >>>> >>>> No Please, I meant I ended up goin to some blog online and I tried that >>>> solution, not on the OSSEC documentation, definitely not. >>>> >>>> Can you please help on noticing where I'm going wrong on the below >>>> configuration. >>>> >>> >>> >>> Besides that I already pointed out? Try changing the level for the >>> rule that's being triggered, if that's your final goal. >>> >> >> If you're trying to modify the level of the alert that you posted, try this: >> >> <rule id="18138" level="12" overwrite="yes"> >> <if_sid>18106</if_sid> >> <id>^539$|^4625$</id> >> <description>Logon Failure - Account locked out.</description> >> <group>win_authentication_failed,</group> >> </rule> >> >> >> >> >>>> Regards, >>>> Khoshal AR >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: [email protected] [mailto:[email protected]] On >>>> Behalf Of dan (ddp) >>>> Sent: Monday, February 02, 2015 8:36 PM >>>> To: [email protected] >>>> Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not >>>> work >>>> >>>> On Mon, Feb 2, 2015 at 9:59 AM, Khoshal A R. >>>> <[email protected]> wrote: >>>>> Hi, >>>>> >>>>> I tried without changing the rule_id , but somewhere in the on the online >>>>> docs I got this idea to use the new rule ID, however now as you mentioned >>>>> I ve reverted back and to narrow the issue I m pasting the config entry >>>>> in local_rules.xml and the corresponding output from >>>>> /var/ossec/logs/alerts/alerts.log >>>>> >>>> >>>> If you figure out what part of the documentation gave you that idea, >>>> let me know and I'll try to make it more clear. >>>> >>>>> This is the entry in local_rules.xml: >>>>> >>>>> <rule id="18106" level="13" overwrite="yes"> >>>>> <if_sid>18105</if_sid> >>>>> >>>>> <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id> >>>>> <description>Windows Logon Failure.</description> >>>>> <group>win_authentication_failed,</group> >>>>> </rule> >>>>> >>>>> Then I tried with the invalid password to one of our windows agent and >>>>> here is the output from alerts.log >>>>> >>>>> ** Alert 1422888616.112065949: - windows,win_authentication_failed, >>>>> 2015 Feb 02 14:50:16 (RZP_NA_PROD_RDP01) 10.0.0.6->WinEvtLog >>>>> Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.' >>>> >>>> The rule you modified is 18106, this log message triggers 18138. I >>>> don't see anything in 18138 that would be affected by the change in >>>> 18106. I'm not very confused as to what you're trying to do, because >>>> this doesn't really make much sense. >>>> >>>>> User: (no user) >>>>> 2015 Feb 02 09:50:05 WinEvtLog: Security: AUDIT_FAILURE(4625): >>>>> Microsoft-Windows-Security-Auditing: (no user): no domain: RZPPROD-RDP01: >>>>> An account failed to log on. Subject: Security ID: S-1-0-0 Account >>>>> Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account >>>>> For Which Logon Failed: Security ID: S-1-0-0 Account Name: khoshalk >>>>> Account Domain: RZPPROD-RDP01 Failure Information: Failure Reason: >>>>> %%2313 Status: 0xc000006d Sub Status: 0xc0000064 Process >>>>> Information: Caller Process ID: 0x0 Caller Process Name: - Network >>>>> Information: Workstation Name: BG1NB189 Source Network Address: - >>>>> Source Port: - Detailed Authentication Information: Logon Process: >>>>> NtLmSsp Authentication Package: NTLM Transited Services: - Package >>>>> Name (NTLM only): - Key Length: 0 This event is generated when a logon >>>>> request fails. It is generated on the computer where access was attempted. >>>>> >>>>> Email alert level is set to 12 in ossec.conf and I ve restarted OSSEC >>>>> after I added to the local_rules.xml. >>>>> >>>>> Can you please figure out where exactly Im going wrong with this, >>>>> >>>>> Regards, >>>>> Khoshal AR >>>>> >>>>> >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: [email protected] [mailto:[email protected]] On >>>>> Behalf Of dan (ddp) >>>>> Sent: Monday, February 02, 2015 8:03 PM >>>>> To: [email protected] >>>>> Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not >>>>> work >>>>> >>>>> On Mon, Feb 2, 2015 at 9:24 AM, Khoshal A R. >>>>> <[email protected]> wrote: >>>>>> Hi, >>>>>> Thanx for quick response. >>>>>> >>>>>> These entries are not commented in local_rules.xml, here is one sample >>>>>> rule I am trying to modify the severity, >>>>>> >>>>>> <rule id="100111" level="13" overwrite="yes"> >>>>> >>>>> I don't have a 100111, can you provide your original rule with id 100111? >>>>> Or, are you misunderstanding the overwrite option? You should use >>>>> overwrite when there is a rule in the *_rules.xml files that come with >>>>> OSSEC that you want to modify. If you are creating a new rule, you >>>>> should not be using the overwrite option. >>>>> For example, if you wanted to change the level of rule 18105, you could >>>>> use: >>>>> >>>>> <rule id="18105" level="12" overwrite="yes"> >>>>> <if_sid>18100</if_sid> >>>>> <status>^AUDIT_FAILURE|^failure</status> >>>>> <description>Windows audit failure event.</description> >>>>> </rule> >>>>> >>>>> Notice how the "rule id" does not change, only the level and the >>>>> addition of the overwrite option. >>>>> >>>>>> <if_sid>18105,18106,18116</if_sid> >>>>>> <match>illegal user|invalid user</match> >>>>>> <description>Attempt to login using a non-existent user</description> >>>>>> <group>invalid_login,authentication_failed,</group> >>>>>> </rule> >>>>>> >>>>>> Also , I am restarting OSSEC after every little change in the config >>>>>> files.If I set the mail alert to less than 12 I get the alerts correctly >>>>>> but as there are too many events Im flooded with mails hence I'm trying >>>>>> to increase the severity of few events like the one above mentioned. >>>>>> >>>>>> I'm also checking the /var/ossec/logs/alerts/alerts.log after I made the >>>>>> entry in local_rules.xml and restarted OSSEC, but alerts.log still gives >>>>>> the rule number in the msauth_rules.xml and not the rule number on >>>>>> local_rules.xml, >>>>>> >>>>>> Please let me know if you need more info, >>>>>> >>>>>> Regards, >>>>>> Khoshal AR >>>>>> >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: [email protected] [mailto:[email protected]] >>>>>> On Behalf Of dan (ddp) >>>>>> Sent: Monday, February 02, 2015 7:31 PM >>>>>> To: [email protected] >>>>>> Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not >>>>>> work >>>>>> >>>>>> On Mon, Feb 2, 2015 at 8:57 AM, Khoshal A R. >>>>>> <[email protected]> wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Can you please help me in what I m doing wrong in modifying the >>>>>>> severity of >>>>>>> the rules that I m trying in local_rules.xml. >>>>>>> >>>>>>> OS : Kali-Linux >>>>>>> >>>>>>> OSSEC version : 2.8.1 >>>>>>> >>>>>>> >>>>>>> >>>>>>> Please find the local_rules.xml file entries below for the overwrite: >>>>>>> >>>>>>> Everything else works , but I need to change the severity of certain >>>>>>> rules >>>>>>> for the meaningful alerts and fine tune the frequency they are executed. >>>>>>> >>>>>>> Appreciate your help. >>>>>>> >>>>>> >>>>>> Are all of these rules commented out in the local_rules.xml file as well? >>>>>> Did you restart the OSSEC processes after making the changes? >>>>>> Do you have log samples that can be tested with ossec-logtest? >>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> <rule id="100102" level="12" overwrite="yes"> >>>>>>> >>>>>>> <if_sid>18104</if_sid> >>>>>>> >>>>>>> <id>^513$|^4609$</id> >>>>>>> >>>>>>> <description>Windows is shutting down.</description> >>>>>>> >>>>>>> <group>system_shutdown,</group> >>>>>>> >>>>>>> </rule> >>>>>>> >>>>>>> --> >>>>>>> >>>>>>> >>>>>>> >>>>>>> <!-- >>>>>>> >>>>>>> <rule id="100103" level="13" overwrite="yes"> >>>>>>> >>>>>>> <if_sid>18103</if_sid> >>>>>>> >>>>>>> <id>^13570$</id> >>>>>>> >>>>>>> <description>Windows file system full.</description> >>>>>>> >>>>>>> <group>low_diskspace,</group> >>>>>>> >>>>>>> </rule> >>>>>>> >>>>>>> --> >>>>>>> >>>>>>> >>>>>>> >>>>>>> <!-- >>>>>>> >>>>>>> <rule id="100104" level="12" overwrite="yes"> >>>>>>> >>>>>>> <if_sid>18100,18103</if_sid> >>>>>>> >>>>>>> <status>^ERROR</status> >>>>>>> >>>>>>> <description>Windows error event.</description> >>>>>>> >>>>>>> <group>system_error,</group> >>>>>>> >>>>>>> </rule> >>>>>>> >>>>>>> --> >>>>>>> >>>>>>> >>>>>>> >>>>>>> <!-- >>>>>>> >>>>>>> <rule id="100105" level="12" overwrite="yes"> >>>>>>> >>>>>>> <if_sid>18100,18105</if_sid> >>>>>>> >>>>>>> <status>^AUDIT_FAILURE|^failure</status> >>>>>>> >>>>>>> <description>Windows audit failure event.</description> >>>>>>> >>>>>>> </rule> >>>>>>> >>>>>>> --> >>>>>>> >>>>>>> >>>>>>> >>>>>>> </group> <!-- SYSLOG,LOCAL --> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> Khoshal AR >>>>>>> >>>>>>> Sonata Software Limited >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Disclaimer: "The materials contained in this email and any attachments >>>>>>> may >>>>>>> contain confidential or legally privileged information. The information >>>>>>> contained in this communication is intended solely for the use of the >>>>>>> individual or entity to whom it is addressed and others authorized to >>>>>>> receive it. If you are not the intended recipient you are hereby >>>>>>> notified >>>>>>> that any disclosure, copying, distribution or taking any action in >>>>>>> reliance >>>>>>> on the contents of this information is strictly prohibited and may be >>>>>>> unlawful. If you have received this communication in error, please >>>>>>> notify us >>>>>>> immediately by responding to this email and then delete it from your >>>>>>> system. >>>>>>> Sonata is neither liable for the proper and complete transmission of the >>>>>>> information contained in this communication nor for any delay in its >>>>>>> receipt" >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups >>>>>>> "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>>> an >>>>>>> email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>> an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> Disclaimer: "The materials contained in this email and any attachments >>>>>> may contain confidential or legally privileged information. The >>>>>> information contained in this communication is intended solely for the >>>>>> use of the individual or entity to whom it is addressed and others >>>>>> authorized to receive it. If you are not the intended recipient you are >>>>>> hereby notified that any disclosure, copying, distribution or taking any >>>>>> action in reliance on the contents of this information is strictly >>>>>> prohibited and may be unlawful. If you have received this communication >>>>>> in error, please notify us immediately by responding to this email and >>>>>> then delete it from your system. Sonata is neither liable for the proper >>>>>> and complete transmission of the information contained in this >>>>>> communication nor for any delay in its receipt" >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>> an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google Groups >>>>> "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send an >>>>> email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> Disclaimer: "The materials contained in this email and any attachments >>>>> may contain confidential or legally privileged information. The >>>>> information contained in this communication is intended solely for the >>>>> use of the individual or entity to whom it is addressed and others >>>>> authorized to receive it. If you are not the intended recipient you are >>>>> hereby notified that any disclosure, copying, distribution or taking any >>>>> action in reliance on the contents of this information is strictly >>>>> prohibited and may be unlawful. If you have received this communication >>>>> in error, please notify us immediately by responding to this email and >>>>> then delete it from your system. Sonata is neither liable for the proper >>>>> and complete transmission of the information contained in this >>>>> communication nor for any delay in its receipt" >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google Groups >>>>> "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send an >>>>> email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> Disclaimer: "The materials contained in this email and any attachments may >>>> contain confidential or legally privileged information. The information >>>> contained in this communication is intended solely for the use of the >>>> individual or entity to whom it is addressed and others authorized to >>>> receive it. If you are not the intended recipient you are hereby notified >>>> that any disclosure, copying, distribution or taking any action in >>>> reliance on the contents of this information is strictly prohibited and >>>> may be unlawful. If you have received this communication in error, please >>>> notify us immediately by responding to this email and then delete it from >>>> your system. Sonata is neither liable for the proper and complete >>>> transmission of the information contained in this communication nor for >>>> any delay in its receipt" >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> Disclaimer: "The materials contained in this email and any attachments may >> contain confidential or legally privileged information. The information >> contained in this communication is intended solely for the use of the >> individual or entity to whom it is addressed and others authorized to >> receive it. If you are not the intended recipient you are hereby notified >> that any disclosure, copying, distribution or taking any action in reliance >> on the contents of this information is strictly prohibited and may be >> unlawful. If you have received this communication in error, please notify us >> immediately by responding to this email and then delete it from your system. >> Sonata is neither liable for the proper and complete transmission of the >> information contained in this communication nor for any delay in its receipt" >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
