Rule file : syslog_rules.xml
Original rule :-
<rule id="5401" level="10">
<if_sid>5400</if_sid>
<match>3 incorrect password attempts</match>
<description>hmm Three failed attempts to run sudo</description>
</rule>
I am trying to overwrite this rule with a custom rule in local_rules.xml,
so that i don't need to re-update rules when ossec is re-installed.
Rule file : local_rules.xml
Attempt to overwrite original rule with :-
*<rule id="5401" level="20" overwrite="yes" ignore="120">*
* <if_sid>5400</if_sid>*
* <match>3 incorrect password attempts</match>*
* <description>hmm Three failed attempts to run sudo</description>*
*</rule>*
it doesn't work, rule gets fired at original level 10.
While if i do :-
*<rule id="5401" level="20" overwrite="yes">*
* <if_sid>5400</if_sid>*
* <match>3 incorrect password attempts</match>*
* <description>hmm Three failed attempts to run sudo</description>*
*</rule>*
in this case rule gets fired at level 20.
If i try :-
*<rule id="5401" level="5" overwrite="yes">*
* <if_sid>5400</if_sid>*
* <match>3 incorrect password attempts</match>*
* <description>hmm Three failed attempts to run sudo</description>*
*</rule>*
Again it doesn't work!
I also tried creating another rule so that i can also incorporate
frequency,timeframe to limit false positives generated by 5401 rule, i want
to suppress original rule 5401, without making any changes to
syslog_rules.xml, but only adding/modifying content in local_rules.xml
Let me know your views/suggestions.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
