Hi, yes, a cdb list is what you need.
1. Create the list: /var/ossec/lists/allow_users.txt $ cat allow_users jesuslinares: maxim: 2. Add the file to ossec.conf: <ossec_config> <rules> <list>lists/allow_users</list> 3. Compile the list $ /var/ossec/bin/ossec-makelists 4. Use in your rules: <list field="user">lists/allow_users</list> Example: <decoder name="ExampleLogin"> <program_name>LOGIN</program_name> <regex>user '(\S+)'</regex> <order>user</order> </decoder> <!-- Mar 3 12:15:24 LinMV LOGIN[1963]: Login: user 'jesuslinares' session ... Mar 3 12:15:24 LinMV LOGIN[1963]: Login: user 'maxim' session ... Mar 3 12:15:24 LinMV LOGIN[1963]: Login: user 'Homer' session ... --> <group name="example-list,"> <rule id="100010" level="0"> <decoded_as>ExampleLogin</decoded_as> <group>authentication_success</group> <description>LOGIN</description> </rule> <rule id="100011" level="5"> <if_group>authentication_success</if_group> <description>Bad user</description> </rule> <rule id="100012" level="1"> <if_sid>100011</if_sid> *<list field="user">lists/allow_users</list> <description>Allow user</description>* </rule> </group> Regards. Jesus Linares. On Thursday, March 3, 2016 at 12:50:06 PM UTC+1, dan (ddpbsd) wrote: > > > On Mar 3, 2016 6:30 AM, "Maxim Surdu" <maxs...@gmail.com <javascript:>> > wrote: > > > > is it a solution but can i create a list and a rule to read all my > list from the file, or something like this because now i have 300 clinets > but it can be more and it will not working more. > > > > If that username isdecoded into a user field, you might be able to create > a cdb database and filter based on that. > > > thanks for your responsiveness > > > > joi, 3 martie 2016, 12:13:36 UTC+2, dan (ddpbsd) a scris: > >> > >> > >> On Mar 3, 2016 4:18 AM, "Maxim Surdu" <maxs...@gmail.com> wrote: > >> > > >> > Hi dear community, > >> > > >> > i install and configure about 10 agents, and of course i have a lot > of users,a part of this users are ftp Clients > >> > > >> > in policy-rules.xml > >> > > >> > i have next rules > >> > > >> > <group name="policy_violation,"> > >> > <rule id="17101" level="9"> > >> > <if_group>authentication_success</if_group> > >> > <time>4 pm - 7 am</time> > >> > <description>Successful login during non-business > hours.</description> > >> > <group>login_time,</group> > >> > </rule> > >> > > >> > <rule id="17102" level="9"> > >> > <if_group>authentication_success</if_group> > >> > <weekday>weekends</weekday> > >> > <description>Successful login during weekend.</description> > >> > <group>login_day,</group> > >> > </rule> > >> > > >> > > >> > > >> > OSSEC HIDS Notification. > >> > > >> > 2016 Mar 02 19:05:41 > >> > > >> > > >> > > >> > Received From: (host.xxxxxx.xx) xxx.xxx.xxx.xxx->/var/log/messages > >> > > >> > Rule: 17101 fired (level 9) -> "Successful login during non-business > hours." > >> > > >> > Portion of the log(s): > >> > > >> > > >> > > >> > Mar 2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is > now logged in > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > --END OF NOTIFICATION > >> > > >> > > >> > > >> > > >> > transpor is username of my client > >> > > >> > and i add a rule to ignore alerts of this users because they are > clients > >> > in local_rules i create next rule to ignore "Successful login during > non-business hours" and "Successful login during weekend" for FTP clinets > >> > > >> > <group name="policy_violation_overwrite,"> > >> > <rule id="17101" level="9" overwrite="yes"> > >> > <if_group>authentication_success</if_group> > >> > <time>4 pm - 7 am</time> > >> > <description>Successful login during non-business > hours.</description> > >> > <group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,</group> > >> > </rule> > >> > > >> > <rule id="17102" level="9" overwrite="yes"> > >> > <if_group>authentication_success</if_group> > >> > <weekday>weekends</weekday> > >> > <description>Successful login during weekend.</description> > >> > <group>login_day,pci_dss_10.2.5,pci_dss_10.6.1,</group> > >> > </rule> > >> > > >> > > >> > <rule id="100002" level="3"> > >> > <if_sid>17101</if_sid> > >> > <match> transpor | client1 | client2 | client3 | ....... | > client 50 </match> > >> > <description>Sesion open by Client</description> > >> > </rule> > >> > > >> > <rule id="100003" level="3"> > >> > <if_sid>17102</if_sid> > >> > <match> transpor | client1 | client2 | client3 | ....... | > client 50 </match> > >> > <description>Sesion open by Client</description> > >> > </rule> > >> > > >> > > >> > because i have a lot of clients ossec give me error and not started, > how can manage or edit this rule ? > >> > > >> > >> Have you tried to create multiple rules, each with only a portion of > the client list? > >> > >> > i appreciate your help, and a lot of respect for developers and > community! > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an email to ossec-list+...@googlegroups.com. > >> > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.