Hi All,
I have been doing some googleing and I hope .. or at least I hoped that my
skillz would have been up for the task .. .however ... I am struggling with to
get ossec to read my "custom" rules.
I have in /var/ossec/etc/rules.d/local_rules.xml that looks as follows:
cat /var/ossec/etc/rules.d/local_rules.xml
<rule id="700006" level="10">
<if_sid>18104,5501,5503,5504,40101,40112,10100</if_sid>
<time>7:00 pm – 7:00 am</time>
<description>User logon outside business hours.</description>
<group>policy_violation</group>
</rule>
In /var/ossec/etc/ossec-server.conf
<include>local_rules.xml</include>
Which I was hoping for being able to fire off an alert if we have some
authentications happening between 7 and 7 .
This is just a kind of mockuped-test ...
Should be straightforward right?
What have I been doing wrong it ? logtest seems to be able to read in my
local_rules.xml ... but applying or lists my custom rule ... no matter have
"many" rules I have it still spits out the same number of rules.
Thanks!
However this is the results from testing;
/var/ossec/bin/ossec-logtest -v
2015/04/22 21:55:38 ossec-testrule: INFO: Reading decoder file
etc/local_decoder. xml.
2015/04/22 21:55:38 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2015/04/22 21:55:38 ossec-testrule: INFO: Started (pid: 11140).
ossec-testrule: Type one log per line.
Apr 22 21:25:02 <hostname> sshd[3141]: pam_unix(sshd:session): session opened
for user root by (uid=0)
**Phase 1: Completed pre-decoding.
full event: 'Apr 22 21:25:02 <hostname> sshd[3141]:
pam_unix(sshd:session): session opened for user root by (uid=0)'
hostname: '<hostname>'
program_name: 'sshd'
log: 'pam_unix(sshd:session): session opened for user root by (uid=0)'
**Phase 2: Completed decoding.
decoder: 'pam'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 5500 - Grouping of the pam_unix rules.
*Rule 5500 matched.
*Trying child rules.
Trying rule: 5552 - PAM and gdm are not playing nicely.
Trying rule: 5503 - User login failed.
Trying rule: 5504 - Attempt to login with an invalid user.
Trying rule: 5501 - Login session opened.
*Rule 5501 matched.
*Trying child rules.
Trying rule: 5521 - Ignoring Annoying Ubuntu/debian cron login events.
Trying rule: 40101 - System user successfully logged to the system.
Trying rule: 40112 - Multiple authentication failures followed by a success.
Trying rule: 10100 - First time user logged in.
**Phase 3: Completed filtering (rules).
Rule id: '5501'
Level: '3'
Description: 'Login session opened.'
**Alert to be generated.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
