On Fri, Mar 13, 2015 at 12:56 PM, <[email protected]> wrote: > thanks you for your answer, it helps me to better understand Ossec and to > probably find my mistake: > > I changed > <rule id="20101" level="8"> to <rule id="20101" level="4"> > <rule id="20100" level="8"> to <rule id="20100" level="4"> > and > <rule id="120000" level="6"> to <rule id="120000" level="4"> > > so only the rule "120001" would be triggered, i make some smoke tests and it > seems fine. > > Thanks > > > [root@localhost rules]# /var/ossec/bin/ossec-logtest -d 2>&1| grep 120000 > 2015/03/13 09:12:52 2 : rule:120000, level 6, timeout: 0 > > But what I don't understand is why it triggers an active-responce for any > event, the rules should only trigger an active response if it match the ID > 3times from the same IP. > >
I don't know what your AR configurations are, and if 120001 is firing the log message is received 5+ times in 120 seconds. > > Le vendredi 13 mars 2015 16:13:49 UTC+1, [email protected] a écrit : >> >> Hi all, >> >> I'm new on ossec (2.8), i'm having an issue when i try to monitor snort >> logs, each time an event feed the alert.fast it triggers an active responce >> without checking the locales_rules.xml. what i see is that the rule 20101, >> please can you help to figure out what is wrong on my configuration: >> >> here is my configuration: >> >> 1: i'm using snort-fast logs >> vi ossec.conf: >> >> <localfile> >> <log_format>snort-fast</log_format> >> <location>/var/log/snort/alert.fast</location> >> </localfile> >> >> here is a sample of my snort logs: >> 03/13-14:01:20.084987 [**] [1:999995:1] Wordpress Brute Force Login [**] >> [Classification: Web Application Attack] [Priority: 1] {TCP} >> 54.86.64.206:37757 -> x.x.x.x:80 >> >> 2: here is my decoder: >> >> <decoder name="snort"> >> <program_name>^snort</program_name> >> </decoder> >> >> <decoder name="snort"> >> <type>ids</type> >> <prematch>^[**] [\d+:\d+:\d+] </prematch> >> </decoder> >> >> <decoder name="snort2"> >> <parent>snort</parent> >> <type>ids</type> >> <prematch>^[**] |^[\d+:\d+:\d+] </prematch> >> <regex>^[**] [(\d+:\d+:\d+)] \.+ (\d+.\d+.\d+.\d+)\p*\d* -> </regex> >> <regex>(\d+.\d+.\d+.\d+)|^[(\d+:\d+:\d+)] \.+ </regex> >> <regex>(\d+.\d+.\d+.\d+)\p*\d* -> (\d+.\d+.\d+.\d+)</regex> >> <order>id,srcip,dstip</order> >> <fts>name,id,srcip,dstip</fts> >> </decoder> >> >> 3: Here is my ids_rules >> >> <rule id="20100" level="8"> >> <category>ids</category> >> <if_fts></if_fts> >> <description>First time this IDS alert is generated.</description> >> <group>fts,</group> >> </rule> >> >> <rule id="20101" level="8"> >> <category>ids</category> >> <check_if_ignored>srcip, id</check_if_ignored> >> <description>IDS event.</description> >> </rule> >> >> 4: here is my local rules: >> >> <group name="local,ids,"> >> >> <rule id="120000" level="6"> >> <if_sid>20101</if_sid> >> <decoded_as>snort</decoded_as> >> <id>1:999995</id> >> <description>Watched snort ids</description> >> </rule> >> >> <rule id="120001" frequency="3" level="10" timeframe="120"> >> <if_matched_sid>120000</if_matched_sid> >> <same_source_ip /> >> <description>Worpdress brute force without >> referer</description> >> </rule> >> </group> >> >> >> 5: here what i see i the alert logs and that triggers an active response: >> >> ** Alert 1426249910.12956: - ids, >> 2015 Mar 13 05:31:50 localhost->/var/log/snort/alert.fast >> Rule: 20101 (level 6) -> 'IDS event.' >> Src IP: 54.86.64.206 >> Dst IP: x.x.x.x >> 03/13-14:01:19.754612 [**] [1:999995:1] Wordpress Brute Force Login [**] >> [Classification: Web Application Attack] [Priority: 1] {TCP} >> 54.86.64.206:37557 -> x.x.x.x:80 >> >> I read the previous messages regarding snort but can't find why i'm wrong, >> >> Thanks in advance for your help. >> >> >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
