[ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

Thu, 03 Mar 2016 01:18:13 -0800 

Hi dear community,

i install and configure about 10 agents, and of course i have a lot of 
users,a part of this users are ftp Clients

in policy-rules.xml 

i have next rules

<group name="policy_violation,">
  <rule id="17101" level="9">
    <if_group>authentication_success</if_group>
    <time>4 pm -  7 am</time>
    <description>Successful login during non-business hours.</description>
    <group>login_time,</group>
  </rule>

  <rule id="17102" level="9">
    <if_group>authentication_success</if_group>
    <weekday>weekends</weekday>
    <description>Successful login during weekend.</description>
    <group>login_day,</group>
  </rule>



OSSEC HIDS Notification.

2016 Mar 02 19:05:41

 

Received From: (host.xxxxxx.xx) xxx.xxx.xxx.xxx->/var/log/messages

Rule: 17101 fired (level 9) -> "Successful login during non-business hours."

Portion of the log(s):

 

Mar  2 21:05:38 host pure-ftpd: ([email protected]) [INFO] transpor is now 
logged in

 

 

 

 --END OF NOTIFICATION



transpor is username of my client

and i add a rule to ignore alerts of  this users because they are clients
in local_rules i create next rule to ignore "Successful login during 
non-business hours" and "Successful login during weekend" for FTP clinets

<group name="policy_violation_overwrite,">
    <rule id="17101" level="9" overwrite="yes">
        <if_group>authentication_success</if_group>
        <time>4 pm - 7 am</time>
        <description>Successful login during non-business 
hours.</description>
        <group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,</group>
    </rule>

<rule id="17102" level="9" overwrite="yes">
    <if_group>authentication_success</if_group>
    <weekday>weekends</weekday>
    <description>Successful login during weekend.</description>
    <group>login_day,pci_dss_10.2.5,pci_dss_10.6.1,</group>
  </rule>


    <rule id="100002" level="3">
      <if_sid>17101</if_sid>
      <match> transpor | client1 | client2 | client3 | ....... | client 50 
</match>
      <description>Sesion open by  Client</description>
    </rule>

    <rule id="100003" level="3">
      <if_sid>17102</if_sid>
       <match> transpor | client1 | client2 | client3 | ....... | client 50 
</match>
      <description>Sesion open by Client</description>
    </rule>


because i have a lot of clients ossec give me error and not started, how 
can manage or edit this rule ?

i appreciate your help, and a lot of respect for developers and community!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to