On Fri, Mar 13, 2015 at 11:09 AM, <[email protected]> wrote:
> Hi all,
>
> I'm new on ossec (2.8), i'm having an issue when i try to monitor snort
> logs, each time an event feed the alert.fast it triggers an active responce
> without checking the locales_rules.xml. what i see is that the rule 20101,
> please can you help to figure out what is wrong on my configuration:
>
> here is my configuration:
>
> 1: i'm using snort-fast logs
> vi ossec.conf:
>
> <localfile>
> <log_format>snort-fast</log_format>
> <location>/var/log/snort/alert.fast</location>
> </localfile>
>
> here is a sample of my snort logs:
> 03/13-14:01:20.084987 [**] [1:999995:1] Wordpress Brute Force Login [**]
> [Classification: Web Application Attack] [Priority: 1] {TCP}
> 54.86.64.206:37757 -> x.x.x.x:80
>
> 2: here is my decoder:
>
> <decoder name="snort">
> <program_name>^snort</program_name>
> </decoder>
>
> <decoder name="snort">
> <type>ids</type>
> <prematch>^[**] [\d+:\d+:\d+] </prematch>
> </decoder>
>
> <decoder name="snort2">
> <parent>snort</parent>
> <type>ids</type>
> <prematch>^[**] |^[\d+:\d+:\d+] </prematch>
> <regex>^[**] [(\d+:\d+:\d+)] \.+ (\d+.\d+.\d+.\d+)\p*\d* -> </regex>
> <regex>(\d+.\d+.\d+.\d+)|^[(\d+:\d+:\d+)] \.+ </regex>
> <regex>(\d+.\d+.\d+.\d+)\p*\d* -> (\d+.\d+.\d+.\d+)</regex>
> <order>id,srcip,dstip</order>
> <fts>name,id,srcip,dstip</fts>
> </decoder>
>
> 3: Here is my ids_rules
>
> <rule id="20100" level="8">
> <category>ids</category>
> <if_fts></if_fts>
> <description>First time this IDS alert is generated.</description>
> <group>fts,</group>
> </rule>
>
> <rule id="20101" level="8">
> <category>ids</category>
> <check_if_ignored>srcip, id</check_if_ignored>
> <description>IDS event.</description>
> </rule>
>
> 4: here is my local rules:
>
> <group name="local,ids,">
>
> <rule id="120000" level="6">
> <if_sid>20101</if_sid>
> <decoded_as>snort</decoded_as>
> <id>1:999995</id>
> <description>Watched snort ids</description>
> </rule>
>
> <rule id="120001" frequency="3" level="10" timeframe="120">
> <if_matched_sid>120000</if_matched_sid>
> <same_source_ip />
> <description>Worpdress brute force without
> referer</description>
> </rule>
> </group>
>
>
> 5: here what i see i the alert logs and that triggers an active response:
>
> ** Alert 1426249910.12956: - ids,
> 2015 Mar 13 05:31:50 localhost->/var/log/snort/alert.fast
> Rule: 20101 (level 6) -> 'IDS event.'
> Src IP: 54.86.64.206
> Dst IP: x.x.x.x
> 03/13-14:01:19.754612 [**] [1:999995:1] Wordpress Brute Force Login [**]
> [Classification: Web Application Attack] [Priority: 1] {TCP}
> 54.86.64.206:37557 -> x.x.x.x:80
>
> I read the previous messages regarding snort but can't find why i'm wrong,
>
> Thanks in advance for your help.
>
I'm not seeing the same behaviour with ossec-logtest. Here's the output I get:
[root@localhost ddp]# /var/ossec/bin/ossec-logtest
2015/03/13 11:21:43 ossec-testrule: INFO: Reading local decoder file.
2015/03/13 11:21:43 ossec-testrule: INFO: Started (pid: 4085).
ossec-testrule: Type one log per line.
03/13-14:01:20.084987 [**] [1:999995:1] Wordpress Brute Force Login
[**] [Classification: Web Application Attack] [Priority: 1] {TCP}
54.86.64.206:37757 -> 10.10.10.10:80
**Phase 1: Completed pre-decoding.
full event: '03/13-14:01:20.084987 [**] [1:999995:1] Wordpress
Brute Force Login [**] [Classification: Web Application Attack]
[Priority: 1] {TCP} 54.86.64.206:37757 -> 10.10.10.10:80'
hostname: 'localhost'
program_name: '(null)'
log: '[**] [1:999995:1] Wordpress Brute Force Login [**]
[Classification: Web Application Attack] [Priority: 1] {TCP}
54.86.64.206:37757 -> 10.10.10.10:80'
**Phase 2: Completed decoding.
decoder: 'snort'
id: '1:999995:1'
srcip: '54.86.64.206'
dstip: '10.10.10.10'
**Phase 3: Completed filtering (rules).
Rule id: '20100'
Level: '8'
Description: 'First time this IDS alert is generated.'
**Alert to be generated.
03/13-14:01:20.084987 [**] [1:999995:1] Wordpress Brute Force Login
[**] [Classification: Web Application Attack] [Priority: 1] {TCP}
54.86.64.206:37757 -> 10.10.10.10:80
**Phase 1: Completed pre-decoding.
full event: '03/13-14:01:20.084987 [**] [1:999995:1] Wordpress
Brute Force Login [**] [Classification: Web Application Attack]
[Priority: 1] {TCP} 54.86.64.206:37757 -> 10.10.10.10:80'
hostname: 'localhost'
program_name: '(null)'
log: '[**] [1:999995:1] Wordpress Brute Force Login [**]
[Classification: Web Application Attack] [Priority: 1] {TCP}
54.86.64.206:37757 -> 10.10.10.10:80'
**Phase 2: Completed decoding.
decoder: 'snort'
id: '1:999995:1'
srcip: '54.86.64.206'
dstip: '10.10.10.10'
**Phase 3: Completed filtering (rules).
Rule id: '120000'
Level: '6'
Description: 'Watched snort ids'
**Alert to be generated.
Did you restart the OSSEC processes after adding your rules?
If you run `ossec-logtest -d` , do you see rule id 120000?
`[root@localhost ddp]# /var/ossec/bin/ossec-logtest -d 2>&1| grep 120000`
2015/03/13 11:26:47 2 : rule:120000, level 6, timeout: 0
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
