On Mon, Feb 2, 2015 at 10:32 AM, Khoshal A R. <[email protected]> wrote: > Hi, > I appreciate your patience on this and thank you, I changed the level on > msauth_rules.xml and the alerts are working fine , but I have one issue here, > which is If I set the frequency and timeframe on the same file for the rule > ,and OSSEC fails to start. All Im trying to do is change both frequency and > level of a rule and get the OSSEC started. >
Making changes in msauth_rules.xml is a bad idea. The changes you make will be overwritten during an upgrade. > Below is the Change I made in msauth_rules.xml which makes OSSEC fail to > start: > > <rule id="18105" level="12" frequency="3" timeframe="120" > > <if_sid>18100</if_sid> > <status>^AUDIT_FAILURE|^failure</status> > <description>Windows audit failure event.</description> > </rule> > You want <if_matched> instead of <if_sid>. Running `ossec-logtest -t` should provide you with the errors you're getting, or you can look in the ossec.log. > However If I remove : frequency="3" timeframe="120" and enter the below it > works fine: > > <rule id="18105" level="12"> > <if_sid>18100</if_sid> > <status>^AUDIT_FAILURE|^failure</status> > <description>Windows audit failure event.</description> > </rule> > > > Regards, > Khoshal AR > > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Monday, February 02, 2015 8:54 PM > To: [email protected] > Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not work > > On Mon, Feb 2, 2015 at 10:16 AM, dan (ddp) <[email protected]> wrote: >> On Mon, Feb 2, 2015 at 10:12 AM, Khoshal A R. >> <[email protected]> wrote: >>> Hi, >>> >>> No Please, I meant I ended up goin to some blog online and I tried that >>> solution, not on the OSSEC documentation, definitely not. >>> >>> Can you please help on noticing where I'm going wrong on the below >>> configuration. >>> >> >> >> Besides that I already pointed out? Try changing the level for the >> rule that's being triggered, if that's your final goal. >> > > If you're trying to modify the level of the alert that you posted, try this: > > <rule id="18138" level="12" overwrite="yes"> > <if_sid>18106</if_sid> > <id>^539$|^4625$</id> > <description>Logon Failure - Account locked out.</description> > <group>win_authentication_failed,</group> > </rule> > > > > >>> Regards, >>> Khoshal AR >>> >>> >>> >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] On >>> Behalf Of dan (ddp) >>> Sent: Monday, February 02, 2015 8:36 PM >>> To: [email protected] >>> Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not work >>> >>> On Mon, Feb 2, 2015 at 9:59 AM, Khoshal A R. >>> <[email protected]> wrote: >>>> Hi, >>>> >>>> I tried without changing the rule_id , but somewhere in the on the online >>>> docs I got this idea to use the new rule ID, however now as you mentioned >>>> I ve reverted back and to narrow the issue I m pasting the config entry in >>>> local_rules.xml and the corresponding output from >>>> /var/ossec/logs/alerts/alerts.log >>>> >>> >>> If you figure out what part of the documentation gave you that idea, >>> let me know and I'll try to make it more clear. >>> >>>> This is the entry in local_rules.xml: >>>> >>>> <rule id="18106" level="13" overwrite="yes"> >>>> <if_sid>18105</if_sid> >>>> >>>> <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id> >>>> <description>Windows Logon Failure.</description> >>>> <group>win_authentication_failed,</group> >>>> </rule> >>>> >>>> Then I tried with the invalid password to one of our windows agent and >>>> here is the output from alerts.log >>>> >>>> ** Alert 1422888616.112065949: - windows,win_authentication_failed, >>>> 2015 Feb 02 14:50:16 (RZP_NA_PROD_RDP01) 10.0.0.6->WinEvtLog >>>> Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.' >>> >>> The rule you modified is 18106, this log message triggers 18138. I >>> don't see anything in 18138 that would be affected by the change in >>> 18106. I'm not very confused as to what you're trying to do, because >>> this doesn't really make much sense. >>> >>>> User: (no user) >>>> 2015 Feb 02 09:50:05 WinEvtLog: Security: AUDIT_FAILURE(4625): >>>> Microsoft-Windows-Security-Auditing: (no user): no domain: RZPPROD-RDP01: >>>> An account failed to log on. Subject: Security ID: S-1-0-0 Account >>>> Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For >>>> Which Logon Failed: Security ID: S-1-0-0 Account Name: khoshalk >>>> Account Domain: RZPPROD-RDP01 Failure Information: Failure Reason: >>>> %%2313 Status: 0xc000006d Sub Status: 0xc0000064 Process >>>> Information: Caller Process ID: 0x0 Caller Process Name: - Network >>>> Information: Workstation Name: BG1NB189 Source Network Address: - >>>> Source Port: - Detailed Authentication Information: Logon Process: >>>> NtLmSsp Authentication Package: NTLM Transited Services: - Package >>>> Name (NTLM only): - Key Length: 0 This event is generated when a logon >>>> request fails. It is generated on the computer where access was attempted. >>>> >>>> Email alert level is set to 12 in ossec.conf and I ve restarted OSSEC >>>> after I added to the local_rules.xml. >>>> >>>> Can you please figure out where exactly Im going wrong with this, >>>> >>>> Regards, >>>> Khoshal AR >>>> >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: [email protected] [mailto:[email protected]] On >>>> Behalf Of dan (ddp) >>>> Sent: Monday, February 02, 2015 8:03 PM >>>> To: [email protected] >>>> Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not >>>> work >>>> >>>> On Mon, Feb 2, 2015 at 9:24 AM, Khoshal A R. >>>> <[email protected]> wrote: >>>>> Hi, >>>>> Thanx for quick response. >>>>> >>>>> These entries are not commented in local_rules.xml, here is one sample >>>>> rule I am trying to modify the severity, >>>>> >>>>> <rule id="100111" level="13" overwrite="yes"> >>>> >>>> I don't have a 100111, can you provide your original rule with id 100111? >>>> Or, are you misunderstanding the overwrite option? You should use >>>> overwrite when there is a rule in the *_rules.xml files that come with >>>> OSSEC that you want to modify. If you are creating a new rule, you >>>> should not be using the overwrite option. >>>> For example, if you wanted to change the level of rule 18105, you could >>>> use: >>>> >>>> <rule id="18105" level="12" overwrite="yes"> >>>> <if_sid>18100</if_sid> >>>> <status>^AUDIT_FAILURE|^failure</status> >>>> <description>Windows audit failure event.</description> >>>> </rule> >>>> >>>> Notice how the "rule id" does not change, only the level and the >>>> addition of the overwrite option. >>>> >>>>> <if_sid>18105,18106,18116</if_sid> >>>>> <match>illegal user|invalid user</match> >>>>> <description>Attempt to login using a non-existent user</description> >>>>> <group>invalid_login,authentication_failed,</group> >>>>> </rule> >>>>> >>>>> Also , I am restarting OSSEC after every little change in the config >>>>> files.If I set the mail alert to less than 12 I get the alerts correctly >>>>> but as there are too many events Im flooded with mails hence I'm trying >>>>> to increase the severity of few events like the one above mentioned. >>>>> >>>>> I'm also checking the /var/ossec/logs/alerts/alerts.log after I made the >>>>> entry in local_rules.xml and restarted OSSEC, but alerts.log still gives >>>>> the rule number in the msauth_rules.xml and not the rule number on >>>>> local_rules.xml, >>>>> >>>>> Please let me know if you need more info, >>>>> >>>>> Regards, >>>>> Khoshal AR >>>>> >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: [email protected] [mailto:[email protected]] On >>>>> Behalf Of dan (ddp) >>>>> Sent: Monday, February 02, 2015 7:31 PM >>>>> To: [email protected] >>>>> Subject: Re: [ossec-list] overwrite rules from Local_rules.xml does not >>>>> work >>>>> >>>>> On Mon, Feb 2, 2015 at 8:57 AM, Khoshal A R. >>>>> <[email protected]> wrote: >>>>>> Hi, >>>>>> >>>>>> Can you please help me in what I m doing wrong in modifying the severity >>>>>> of >>>>>> the rules that I m trying in local_rules.xml. >>>>>> >>>>>> OS : Kali-Linux >>>>>> >>>>>> OSSEC version : 2.8.1 >>>>>> >>>>>> >>>>>> >>>>>> Please find the local_rules.xml file entries below for the overwrite: >>>>>> >>>>>> Everything else works , but I need to change the severity of certain >>>>>> rules >>>>>> for the meaningful alerts and fine tune the frequency they are executed. >>>>>> >>>>>> Appreciate your help. >>>>>> >>>>> >>>>> Are all of these rules commented out in the local_rules.xml file as well? >>>>> Did you restart the OSSEC processes after making the changes? >>>>> Do you have log samples that can be tested with ossec-logtest? >>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> <rule id="100102" level="12" overwrite="yes"> >>>>>> >>>>>> <if_sid>18104</if_sid> >>>>>> >>>>>> <id>^513$|^4609$</id> >>>>>> >>>>>> <description>Windows is shutting down.</description> >>>>>> >>>>>> <group>system_shutdown,</group> >>>>>> >>>>>> </rule> >>>>>> >>>>>> --> >>>>>> >>>>>> >>>>>> >>>>>> <!-- >>>>>> >>>>>> <rule id="100103" level="13" overwrite="yes"> >>>>>> >>>>>> <if_sid>18103</if_sid> >>>>>> >>>>>> <id>^13570$</id> >>>>>> >>>>>> <description>Windows file system full.</description> >>>>>> >>>>>> <group>low_diskspace,</group> >>>>>> >>>>>> </rule> >>>>>> >>>>>> --> >>>>>> >>>>>> >>>>>> >>>>>> <!-- >>>>>> >>>>>> <rule id="100104" level="12" overwrite="yes"> >>>>>> >>>>>> <if_sid>18100,18103</if_sid> >>>>>> >>>>>> <status>^ERROR</status> >>>>>> >>>>>> <description>Windows error event.</description> >>>>>> >>>>>> <group>system_error,</group> >>>>>> >>>>>> </rule> >>>>>> >>>>>> --> >>>>>> >>>>>> >>>>>> >>>>>> <!-- >>>>>> >>>>>> <rule id="100105" level="12" overwrite="yes"> >>>>>> >>>>>> <if_sid>18100,18105</if_sid> >>>>>> >>>>>> <status>^AUDIT_FAILURE|^failure</status> >>>>>> >>>>>> <description>Windows audit failure event.</description> >>>>>> >>>>>> </rule> >>>>>> >>>>>> --> >>>>>> >>>>>> >>>>>> >>>>>> </group> <!-- SYSLOG,LOCAL --> >>>>>> >>>>>> >>>>>> >>>>>> Regards, >>>>>> >>>>>> Khoshal AR >>>>>> >>>>>> Sonata Software Limited >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Disclaimer: "The materials contained in this email and any attachments >>>>>> may >>>>>> contain confidential or legally privileged information. The information >>>>>> contained in this communication is intended solely for the use of the >>>>>> individual or entity to whom it is addressed and others authorized to >>>>>> receive it. If you are not the intended recipient you are hereby notified >>>>>> that any disclosure, copying, distribution or taking any action in >>>>>> reliance >>>>>> on the contents of this information is strictly prohibited and may be >>>>>> unlawful. If you have received this communication in error, please >>>>>> notify us >>>>>> immediately by responding to this email and then delete it from your >>>>>> system. >>>>>> Sonata is neither liable for the proper and complete transmission of the >>>>>> information contained in this communication nor for any delay in its >>>>>> receipt" >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google Groups >>>>>> "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, send an >>>>>> email to [email protected]. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google Groups >>>>> "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send an >>>>> email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> Disclaimer: "The materials contained in this email and any attachments >>>>> may contain confidential or legally privileged information. The >>>>> information contained in this communication is intended solely for the >>>>> use of the individual or entity to whom it is addressed and others >>>>> authorized to receive it. If you are not the intended recipient you are >>>>> hereby notified that any disclosure, copying, distribution or taking any >>>>> action in reliance on the contents of this information is strictly >>>>> prohibited and may be unlawful. If you have received this communication >>>>> in error, please notify us immediately by responding to this email and >>>>> then delete it from your system. Sonata is neither liable for the proper >>>>> and complete transmission of the information contained in this >>>>> communication nor for any delay in its receipt" >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google Groups >>>>> "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send an >>>>> email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> Disclaimer: "The materials contained in this email and any attachments may >>>> contain confidential or legally privileged information. The information >>>> contained in this communication is intended solely for the use of the >>>> individual or entity to whom it is addressed and others authorized to >>>> receive it. If you are not the intended recipient you are hereby notified >>>> that any disclosure, copying, distribution or taking any action in >>>> reliance on the contents of this information is strictly prohibited and >>>> may be unlawful. If you have received this communication in error, please >>>> notify us immediately by responding to this email and then delete it from >>>> your system. Sonata is neither liable for the proper and complete >>>> transmission of the information contained in this communication nor for >>>> any delay in its receipt" >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> Disclaimer: "The materials contained in this email and any attachments may >>> contain confidential or legally privileged information. The information >>> contained in this communication is intended solely for the use of the >>> individual or entity to whom it is addressed and others authorized to >>> receive it. If you are not the intended recipient you are hereby notified >>> that any disclosure, copying, distribution or taking any action in reliance >>> on the contents of this information is strictly prohibited and may be >>> unlawful. If you have received this communication in error, please notify >>> us immediately by responding to this email and then delete it from your >>> system. Sonata is neither liable for the proper and complete transmission >>> of the information contained in this communication nor for any delay in its >>> receipt" >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > Disclaimer: "The materials contained in this email and any attachments may > contain confidential or legally privileged information. The information > contained in this communication is intended solely for the use of the > individual or entity to whom it is addressed and others authorized to receive > it. If you are not the intended recipient you are hereby notified that any > disclosure, copying, distribution or taking any action in reliance on the > contents of this information is strictly prohibited and may be unlawful. If > you have received this communication in error, please notify us immediately > by responding to this email and then delete it from your system. Sonata is > neither liable for the proper and complete transmission of the information > contained in this communication nor for any delay in its receipt" > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
