Hi all,
I'm new on ossec (2.8), i'm having an issue when i try to monitor snort
logs, each time an event feed the alert.fast it triggers an active responce
without checking the locales_rules.xml. what i see is that the rule 20101,
please can you help to figure out what is wrong on my configuration:
here is my configuration:
1: i'm using snort-fast logs
vi ossec.conf:
<localfile>
<log_format>snort-fast</log_format>
<location>/var/log/snort/alert.fast</location>
</localfile>
here is a sample of my snort logs:
03/13-14:01:20.084987 [**] [1:999995:1] Wordpress Brute Force Login [**]
[Classification: Web Application Attack] [Priority: 1] {TCP}
54.86.64.206:37757 -> x.x.x.x:80
2: here is my decoder:
<decoder name="snort">
<program_name>^snort</program_name>
</decoder>
<decoder name="snort">
<type>ids</type>
<prematch>^[**] [\d+:\d+:\d+] </prematch>
</decoder>
<decoder name="snort2">
<parent>snort</parent>
<type>ids</type>
<prematch>^[**] |^[\d+:\d+:\d+] </prematch>
<regex>^[**] [(\d+:\d+:\d+)] \.+ (\d+.\d+.\d+.\d+)\p*\d* -> </regex>
<regex>(\d+.\d+.\d+.\d+)|^[(\d+:\d+:\d+)] \.+ </regex>
<regex>(\d+.\d+.\d+.\d+)\p*\d* -> (\d+.\d+.\d+.\d+)</regex>
<order>id,srcip,dstip</order>
<fts>name,id,srcip,dstip</fts>
</decoder>
3: Here is my ids_rules
<rule id="20100" level="8">
<category>ids</category>
<if_fts></if_fts>
<description>First time this IDS alert is generated.</description>
<group>fts,</group>
</rule>
<rule id="20101" level="8">
<category>ids</category>
<check_if_ignored>srcip, id</check_if_ignored>
<description>IDS event.</description>
</rule>
4: here is my local rules:
<group name="local,ids,">
<rule id="120000" level="6">
<if_sid>20101</if_sid>
<decoded_as>snort</decoded_as>
<id>1:999995</id>
<description>Watched snort ids</description>
</rule>
<rule id="120001" frequency="3" level="10" timeframe="120">
<if_matched_sid>120000</if_matched_sid>
<same_source_ip />
<description>Worpdress brute force without
referer</description>
</rule>
</group>
5: here what i see i the alert logs and that triggers an active response:
** Alert 1426249910.12956: - ids,
2015 Mar 13 05:31:50 localhost->/var/log/snort/alert.fast
Rule: 20101 (level 6) -> 'IDS event.'
Src IP: 54.86.64.206
Dst IP: x.x.x.x
03/13-14:01:19.754612 [**] [1:999995:1] Wordpress Brute Force Login [**]
[Classification: Web Application Attack] [Priority: 1] {TCP}
54.86.64.206:37557 -> x.x.x.x:80
I read the previous messages regarding snort but can't find why i'm wrong,
Thanks in advance for your help.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
