thanks you for your answer, it helps me to better understand Ossec and to probably find my mistake:
I changed <rule id="20101" level="8"> to <rule id="20101" level="4"> <rule id="20100" level="8"> to <rule id="20100" level="4"> and <rule id="120000" level="6"> to <rule id="120000" level="4"> so only the rule "120001" would be triggered, i make some smoke tests and it seems fine. Thanks [root@localhost rules]# /var/ossec/bin/ossec-logtest -d 2>&1| grep 120000 2015/03/13 09:12:52 2 : rule:120000, level 6, timeout: 0 But what I don't understand is why it triggers an active-responce for any event, the rules should only trigger an active response if it match the ID 3times from the same IP. Le vendredi 13 mars 2015 16:13:49 UTC+1, [email protected] a écrit : > > Hi all, > > I'm new on ossec (2.8), i'm having an issue when i try to monitor snort > logs, each time an event feed the alert.fast it triggers an active responce > without checking the locales_rules.xml. what i see is that the rule 20101, > please can you help to figure out what is wrong on my configuration: > > here is my configuration: > > 1: i'm using snort-fast logs > vi ossec.conf: > > <localfile> > <log_format>snort-fast</log_format> > <location>/var/log/snort/alert.fast</location> > </localfile> > > here is a sample of my snort logs: > 03/13-14:01:20.084987 [**] [1:999995:1] Wordpress Brute Force Login [**] > [Classification: Web Application Attack] [Priority: 1] {TCP} > 54.86.64.206:37757 -> x.x.x.x:80 > > 2: here is my decoder: > > <decoder name="snort"> > <program_name>^snort</program_name> > </decoder> > > <decoder name="snort"> > <type>ids</type> > <prematch>^[**] [\d+:\d+:\d+] </prematch> > </decoder> > > <decoder name="snort2"> > <parent>snort</parent> > <type>ids</type> > <prematch>^[**] |^[\d+:\d+:\d+] </prematch> > <regex>^[**] [(\d+:\d+:\d+)] \.+ (\d+.\d+.\d+.\d+)\p*\d* -> </regex> > <regex>(\d+.\d+.\d+.\d+)|^[(\d+:\d+:\d+)] \.+ </regex> > <regex>(\d+.\d+.\d+.\d+)\p*\d* -> (\d+.\d+.\d+.\d+)</regex> > <order>id,srcip,dstip</order> > <fts>name,id,srcip,dstip</fts> > </decoder> > > 3: Here is my ids_rules > > <rule id="20100" level="8"> > <category>ids</category> > <if_fts></if_fts> > <description>First time this IDS alert is generated.</description> > <group>fts,</group> > </rule> > > <rule id="20101" level="8"> > <category>ids</category> > <check_if_ignored>srcip, id</check_if_ignored> > <description>IDS event.</description> > </rule> > > 4: here is my local rules: > > <group name="local,ids,"> > > <rule id="120000" level="6"> > <if_sid>20101</if_sid> > <decoded_as>snort</decoded_as> > <id>1:999995</id> > <description>Watched snort ids</description> > </rule> > > <rule id="120001" frequency="3" level="10" timeframe="120"> > <if_matched_sid>120000</if_matched_sid> > <same_source_ip /> > <description>Worpdress brute force without > referer</description> > </rule> > </group> > > > 5: here what i see i the alert logs and that triggers an active response: > > ** Alert 1426249910.12956: - ids, > 2015 Mar 13 05:31:50 localhost->/var/log/snort/alert.fast > Rule: 20101 (level 6) -> 'IDS event.' > Src IP: 54.86.64.206 > Dst IP: x.x.x.x > 03/13-14:01:19.754612 [**] [1:999995:1] Wordpress Brute Force Login [**] > [Classification: Web Application Attack] [Priority: 1] {TCP} > 54.86.64.206:37557 -> x.x.x.x:80 > > I read the previous messages regarding snort but can't find why i'm wrong, > > Thanks in advance for your help. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
