Hi,
yes, a cdb list is what you need.
1. Create the list: /var/ossec/lists/allow_users.txt
$ cat allow_users
jesuslinares:
maxim:
2. Add the file to ossec.conf:
<ossec_config>
<rules>
<list>lists/allow_users</list>
3. Compile the list
$ /var/ossec/bin/ossec-makelists
4. Use in your rules:
<list field="user">lists/allow_users</list>
Example:
<decoder name="ExampleLogin">
<program_name>LOGIN</program_name>
<regex>user '(\S+)'</regex>
<order>user</order>
</decoder>
<!--
Mar 3 12:15:24 LinMV LOGIN[1963]: Login: user 'jesuslinares' session ...
Mar 3 12:15:24 LinMV LOGIN[1963]: Login: user 'maxim' session ...
Mar 3 12:15:24 LinMV LOGIN[1963]: Login: user 'Homer' session ...
-->
<group name="example-list,">
<rule id="100010" level="0">
<decoded_as>ExampleLogin</decoded_as>
<group>authentication_success</group>
<description>LOGIN</description>
</rule>
<rule id="100011" level="5">
<if_group>authentication_success</if_group>
<description>Bad user</description>
</rule>
<rule id="100012" level="1">
<if_sid>100011</if_sid>
*<list field="user">lists/allow_users</list> <description>Allow
user</description>*
</rule>
</group>
Regards.
Jesus Linares.
On Thursday, March 3, 2016 at 12:50:06 PM UTC+1, dan (ddpbsd) wrote:
>
>
> On Mar 3, 2016 6:30 AM, "Maxim Surdu" <maxs...@gmail.com <javascript:>>
> wrote:
> >
> > is it a solution but can i create a list and a rule to read all my
> list from the file, or something like this because now i have 300 clinets
> but it can be more and it will not working more.
> >
>
> If that username isdecoded into a user field, you might be able to create
> a cdb database and filter based on that.
>
> > thanks for your responsiveness
> >
> > joi, 3 martie 2016, 12:13:36 UTC+2, dan (ddpbsd) a scris:
> >>
> >>
> >> On Mar 3, 2016 4:18 AM, "Maxim Surdu" <maxs...@gmail.com> wrote:
> >> >
> >> > Hi dear community,
> >> >
> >> > i install and configure about 10 agents, and of course i have a lot
> of users,a part of this users are ftp Clients
> >> >
> >> > in policy-rules.xml
> >> >
> >> > i have next rules
> >> >
> >> > <group name="policy_violation,">
> >> > <rule id="17101" level="9">
> >> > <if_group>authentication_success</if_group>
> >> > <time>4 pm - 7 am</time>
> >> > <description>Successful login during non-business
> hours.</description>
> >> > <group>login_time,</group>
> >> > </rule>
> >> >
> >> > <rule id="17102" level="9">
> >> > <if_group>authentication_success</if_group>
> >> > <weekday>weekends</weekday>
> >> > <description>Successful login during weekend.</description>
> >> > <group>login_day,</group>
> >> > </rule>
> >> >
> >> >
> >> >
> >> > OSSEC HIDS Notification.
> >> >
> >> > 2016 Mar 02 19:05:41
> >> >
> >> >
> >> >
> >> > Received From: (host.xxxxxx.xx) xxx.xxx.xxx.xxx->/var/log/messages
> >> >
> >> > Rule: 17101 fired (level 9) -> "Successful login during non-business
> hours."
> >> >
> >> > Portion of the log(s):
> >> >
> >> >
> >> >
> >> > Mar 2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is
> now logged in
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > --END OF NOTIFICATION
> >> >
> >> >
> >> >
> >> >
> >> > transpor is username of my client
> >> >
> >> > and i add a rule to ignore alerts of this users because they are
> clients
> >> > in local_rules i create next rule to ignore "Successful login during
> non-business hours" and "Successful login during weekend" for FTP clinets
> >> >
> >> > <group name="policy_violation_overwrite,">
> >> > <rule id="17101" level="9" overwrite="yes">
> >> > <if_group>authentication_success</if_group>
> >> > <time>4 pm - 7 am</time>
> >> > <description>Successful login during non-business
> hours.</description>
> >> > <group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,</group>
> >> > </rule>
> >> >
> >> > <rule id="17102" level="9" overwrite="yes">
> >> > <if_group>authentication_success</if_group>
> >> > <weekday>weekends</weekday>
> >> > <description>Successful login during weekend.</description>
> >> > <group>login_day,pci_dss_10.2.5,pci_dss_10.6.1,</group>
> >> > </rule>
> >> >
> >> >
> >> > <rule id="100002" level="3">
> >> > <if_sid>17101</if_sid>
> >> > <match> transpor | client1 | client2 | client3 | ....... |
> client 50 </match>
> >> > <description>Sesion open by Client</description>
> >> > </rule>
> >> >
> >> > <rule id="100003" level="3">
> >> > <if_sid>17102</if_sid>
> >> > <match> transpor | client1 | client2 | client3 | ....... |
> client 50 </match>
> >> > <description>Sesion open by Client</description>
> >> > </rule>
> >> >
> >> >
> >> > because i have a lot of clients ossec give me error and not started,
> how can manage or edit this rule ?
> >> >
> >>
> >> Have you tried to create multiple rules, each with only a portion of
> the client list?
> >>
> >> > i appreciate your help, and a lot of respect for developers and
> community!
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send an email to ossec-list+...@googlegroups.com.
> >>
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
