On Mar 19, 2015 9:54 PM, "Zakirasafi" <[email protected]> wrote: > > I have one confusion... Ossec and snort are two different thing then why you are using both at the same time. kindly I need your explanation > > >
Perhaps to watch network traffic and syatem/application logs. > > > Thanks and Regards, > Zakira Inayat > Ph.D student in University of Malaya, Malaysia > > On Sat, Mar 14, 2015 at 1:00 AM, dan (ddp) <[email protected]> wrote: >> >> On Fri, Mar 13, 2015 at 12:56 PM, <[email protected]> wrote: >> > thanks you for your answer, it helps me to better understand Ossec and to >> > probably find my mistake: >> > >> > I changed >> > <rule id="20101" level="8"> to <rule id="20101" level="4"> >> > <rule id="20100" level="8"> to <rule id="20100" level="4"> >> > and >> > <rule id="120000" level="6"> to <rule id="120000" level="4"> >> > >> > so only the rule "120001" would be triggered, i make some smoke tests and it >> > seems fine. >> > >> > Thanks >> > >> > >> > [root@localhost rules]# /var/ossec/bin/ossec-logtest -d 2>&1| grep 120000 >> > 2015/03/13 09:12:52 2 : rule:120000, level 6, timeout: 0 >> > >> > But what I don't understand is why it triggers an active-responce for any >> > event, the rules should only trigger an active response if it match the ID >> > 3times from the same IP. >> > >> > >> >> I don't know what your AR configurations are, and if 120001 is firing >> the log message is received 5+ times in 120 seconds. >> >> > >> > Le vendredi 13 mars 2015 16:13:49 UTC+1, [email protected] a écrit : >> >> >> >> Hi all, >> >> >> >> I'm new on ossec (2.8), i'm having an issue when i try to monitor snort >> >> logs, each time an event feed the alert.fast it triggers an active responce >> >> without checking the locales_rules.xml. what i see is that the rule 20101, >> >> please can you help to figure out what is wrong on my configuration: >> >> >> >> here is my configuration: >> >> >> >> 1: i'm using snort-fast logs >> >> vi ossec.conf: >> >> >> >> <localfile> >> >> <log_format>snort-fast</log_format> >> >> <location>/var/log/snort/alert.fast</location> >> >> </localfile> >> >> >> >> here is a sample of my snort logs: >> >> 03/13-14:01:20.084987 [**] [1:999995:1] Wordpress Brute Force Login [**] >> >> [Classification: Web Application Attack] [Priority: 1] {TCP} >> >> 54.86.64.206:37757 -> x.x.x.x:80 >> >> >> >> 2: here is my decoder: >> >> >> >> <decoder name="snort"> >> >> <program_name>^snort</program_name> >> >> </decoder> >> >> >> >> <decoder name="snort"> >> >> <type>ids</type> >> >> <prematch>^[**] [\d+:\d+:\d+] </prematch> >> >> </decoder> >> >> >> >> <decoder name="snort2"> >> >> <parent>snort</parent> >> >> <type>ids</type> >> >> <prematch>^[**] |^[\d+:\d+:\d+] </prematch> >> >> <regex>^[**] [(\d+:\d+:\d+)] \.+ (\d+.\d+.\d+.\d+)\p*\d* -> </regex> >> >> <regex>(\d+.\d+.\d+.\d+)|^[(\d+:\d+:\d+)] \.+ </regex> >> >> <regex>(\d+.\d+.\d+.\d+)\p*\d* -> (\d+.\d+.\d+.\d+)</regex> >> >> <order>id,srcip,dstip</order> >> >> <fts>name,id,srcip,dstip</fts> >> >> </decoder> >> >> >> >> 3: Here is my ids_rules >> >> >> >> <rule id="20100" level="8"> >> >> <category>ids</category> >> >> <if_fts></if_fts> >> >> <description>First time this IDS alert is generated.</description> >> >> <group>fts,</group> >> >> </rule> >> >> >> >> <rule id="20101" level="8"> >> >> <category>ids</category> >> >> <check_if_ignored>srcip, id</check_if_ignored> >> >> <description>IDS event.</description> >> >> </rule> >> >> >> >> 4: here is my local rules: >> >> >> >> <group name="local,ids,"> >> >> >> >> <rule id="120000" level="6"> >> >> <if_sid>20101</if_sid> >> >> <decoded_as>snort</decoded_as> >> >> <id>1:999995</id> >> >> <description>Watched snort ids</description> >> >> </rule> >> >> >> >> <rule id="120001" frequency="3" level="10" timeframe="120"> >> >> <if_matched_sid>120000</if_matched_sid> >> >> <same_source_ip /> >> >> <description>Worpdress brute force without >> >> referer</description> >> >> </rule> >> >> </group> >> >> >> >> >> >> 5: here what i see i the alert logs and that triggers an active response: >> >> >> >> ** Alert 1426249910.12956: - ids, >> >> 2015 Mar 13 05:31:50 localhost->/var/log/snort/alert.fast >> >> Rule: 20101 (level 6) -> 'IDS event.' >> >> Src IP: 54.86.64.206 >> >> Dst IP: x.x.x.x >> >> 03/13-14:01:19.754612 [**] [1:999995:1] Wordpress Brute Force Login [**] >> >> [Classification: Web Application Attack] [Priority: 1] {TCP} >> >> 54.86.64.206:37557 -> x.x.x.x:80 >> >> >> >> I read the previous messages regarding snort but can't find why i'm wrong, >> >> >> >> Thanks in advance for your help. >> >> >> >> >> >> >> >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
