I have one confusion... Ossec and snort are two different thing then why you are using both at the same time. kindly I need your explanation
*Thanks and Regards,* Zakira Inayat Ph.D student in University of Malaya, Malaysia On Sat, Mar 14, 2015 at 1:00 AM, dan (ddp) <[email protected]> wrote: > On Fri, Mar 13, 2015 at 12:56 PM, <[email protected]> wrote: > > thanks you for your answer, it helps me to better understand Ossec and to > > probably find my mistake: > > > > I changed > > <rule id="20101" level="8"> to <rule id="20101" level="4"> > > <rule id="20100" level="8"> to <rule id="20100" level="4"> > > and > > <rule id="120000" level="6"> to <rule id="120000" level="4"> > > > > so only the rule "120001" would be triggered, i make some smoke tests > and it > > seems fine. > > > > Thanks > > > > > > [root@localhost rules]# /var/ossec/bin/ossec-logtest -d 2>&1| grep > 120000 > > 2015/03/13 09:12:52 2 : rule:120000, level 6, timeout: 0 > > > > But what I don't understand is why it triggers an active-responce for any > > event, the rules should only trigger an active response if it match the > ID > > 3times from the same IP. > > > > > > I don't know what your AR configurations are, and if 120001 is firing > the log message is received 5+ times in 120 seconds. > > > > > Le vendredi 13 mars 2015 16:13:49 UTC+1, [email protected] a écrit : > >> > >> Hi all, > >> > >> I'm new on ossec (2.8), i'm having an issue when i try to monitor snort > >> logs, each time an event feed the alert.fast it triggers an active > responce > >> without checking the locales_rules.xml. what i see is that the rule > 20101, > >> please can you help to figure out what is wrong on my configuration: > >> > >> here is my configuration: > >> > >> 1: i'm using snort-fast logs > >> vi ossec.conf: > >> > >> <localfile> > >> <log_format>snort-fast</log_format> > >> <location>/var/log/snort/alert.fast</location> > >> </localfile> > >> > >> here is a sample of my snort logs: > >> 03/13-14:01:20.084987 [**] [1:999995:1] Wordpress Brute Force Login > [**] > >> [Classification: Web Application Attack] [Priority: 1] {TCP} > >> 54.86.64.206:37757 -> x.x.x.x:80 > >> > >> 2: here is my decoder: > >> > >> <decoder name="snort"> > >> <program_name>^snort</program_name> > >> </decoder> > >> > >> <decoder name="snort"> > >> <type>ids</type> > >> <prematch>^[**] [\d+:\d+:\d+] </prematch> > >> </decoder> > >> > >> <decoder name="snort2"> > >> <parent>snort</parent> > >> <type>ids</type> > >> <prematch>^[**] |^[\d+:\d+:\d+] </prematch> > >> <regex>^[**] [(\d+:\d+:\d+)] \.+ (\d+.\d+.\d+.\d+)\p*\d* -> </regex> > >> <regex>(\d+.\d+.\d+.\d+)|^[(\d+:\d+:\d+)] \.+ </regex> > >> <regex>(\d+.\d+.\d+.\d+)\p*\d* -> (\d+.\d+.\d+.\d+)</regex> > >> <order>id,srcip,dstip</order> > >> <fts>name,id,srcip,dstip</fts> > >> </decoder> > >> > >> 3: Here is my ids_rules > >> > >> <rule id="20100" level="8"> > >> <category>ids</category> > >> <if_fts></if_fts> > >> <description>First time this IDS alert is generated.</description> > >> <group>fts,</group> > >> </rule> > >> > >> <rule id="20101" level="8"> > >> <category>ids</category> > >> <check_if_ignored>srcip, id</check_if_ignored> > >> <description>IDS event.</description> > >> </rule> > >> > >> 4: here is my local rules: > >> > >> <group name="local,ids,"> > >> > >> <rule id="120000" level="6"> > >> <if_sid>20101</if_sid> > >> <decoded_as>snort</decoded_as> > >> <id>1:999995</id> > >> <description>Watched snort ids</description> > >> </rule> > >> > >> <rule id="120001" frequency="3" level="10" timeframe="120"> > >> <if_matched_sid>120000</if_matched_sid> > >> <same_source_ip /> > >> <description>Worpdress brute force without > >> referer</description> > >> </rule> > >> </group> > >> > >> > >> 5: here what i see i the alert logs and that triggers an active > response: > >> > >> ** Alert 1426249910.12956: - ids, > >> 2015 Mar 13 05:31:50 localhost->/var/log/snort/alert.fast > >> Rule: 20101 (level 6) -> 'IDS event.' > >> Src IP: 54.86.64.206 > >> Dst IP: x.x.x.x > >> 03/13-14:01:19.754612 [**] [1:999995:1] Wordpress Brute Force Login > [**] > >> [Classification: Web Application Attack] [Priority: 1] {TCP} > >> 54.86.64.206:37557 -> x.x.x.x:80 > >> > >> I read the previous messages regarding snort but can't find why i'm > wrong, > >> > >> Thanks in advance for your help. > >> > >> > >> > >> > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
