Hi Jiri,
also you can run the command "/var/ossec/bin/agent_control -lc" to get the
connected agents. Keep in mind that in order to know if an agent is
connected, disconnected or never connected OSSEC reads the modification
date of the files in /var/ossec/queue/agent-info/*:
- if there is no file for the agent the status is never connected
- if the modification time of the file is less than a defined tiemout,
the status is actived. If it is greater then the status is disconnected.
The timeout is 3*NOTIFY_TIME+30, NOTIFY_TIME by default is 600 seconds.
Regarding the rules to detect DDOS attacks, you could create something like
this:
local_rules.xml:
<group name="attack,">
<rule id="200000" level="15" timeframe="300" frequency="3">
<if_matched_group>attacks|attack|automatic_attack</if_matched_group>
<same_source_ip />
<description>Attacks from same source IP</description>
</rule>
</group>
You are saying: if one of these groups (attack, attacks or
automatic_attack) have matched in the last 300 seconds more than 5 times
(frecuency + 2) and the event comes from the same ip, it could be a DDOS
attack. You can play with the variables (tiemframe and frecuency) or create
new rules with a specific group and append it to the rule.
Regards.
Jesus Linares.
On Thursday, May 5, 2016 at 8:44:50 PM UTC+2, dan (ddpbsd) wrote:
>
> On Thu, May 5, 2016 at 2:12 PM, Jiri <[email protected] <javascript:>>
> wrote:
> > Hi,
> >
> > I just finished installing ossec on ubuntu as a server and windows agent
> on
> > another computer. How do i test if my agent is successfully connected to
> me?
> > Also, can someone help me on creating rules to detect an a ddos attack
> or
> > any attack on my server?
> >
>
> On the server you can run `/var/ossec/bin/list_agents -c` to see the
> connected agents.
> Check out the rules that already exist in /var/ossec/rules. They
> should be useful as a template.
> If you still need help, please ask.
>
> > Thanks,
> > Regards.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
