Thanks for that Dan - very useful.
What about output from the following stanza to be whitelisted, what
<if_group> should be used here in the local_rules.xml, is the group to be
whitelisted called syslog,access_control or authentication_failed??:
<group name="syslog,access_control,">
<rule id="2501" level="5">
<match>FAILED LOGIN |authentication failure|</match>
<match>Authentication failed for|invalid password for|</match>
<match>LOGIN FAILURE|auth failure: |authentication error|</match>
<match>authinternal failed|Failed to authorize|</match>
<match>Wrong password given for|login failed|Auth: Login
incorrect</match>
<group>authentication_failed,</group>
<description>User authentication failure.</description>
</rule>
On Thursday, 9 June 2016 15:46:21 UTC+1, dan (ddpbsd) wrote:
>
> On Thu, Jun 9, 2016 at 10:22 AM, Tahir Hafiz <[email protected]
> <javascript:>> wrote:
> > Dear All,
> >
> > I currently have a few rules which are very similar, how can I have
> multiple
> > matches with the same rule:
> >
> > <!-- Ignore System Audit of /tmp not being on it's own it's partition-->
> > <rule id="100007" level="0">
> > <if_sid>510</if_sid>
> > <match>Robust partition scheme - /tmp is not on its own partition.
> > File: /etc/fstab.</match>
> > <description>Ignore /tmp not being on it's own
> partition</description>
> > <group>rootcheck,</group>
> > </rule>
> >
> >
> > <!-- Ignore System Audit of /opt not being on it's own it's partition-->
> > <rule id="100008" level="0">
> > <if_sid>510</if_sid>
> > <match>Robust partition scheme - /opt is not on its own
> > partition.</match>
> > <description>Ignore /opt not being on it's own
> partition</description>
> > <group>rootcheck,</group>
> > </rule>
> >
> >
> >
> > <!-- Ignore System Audit of /var not being on it's own it's partition-->
> > <rule id="100009" level="0">
> > <if_sid>510</if_sid>
> > <match>Robust partition scheme - /var is not on its own
> > partition.</match>
> > <description>Ignore /var not being on it's own
> partition</description>
> > <group>rootcheck,</group>
> > </rule>
> >
> >
> >
> > Is there a way to have multiple <match> lines ?
> > Would something like this work:
> >
> >
> > <rule id="100007" level="0">
> > <if_sid>510</if_sid>
> > <regex>Robust partition scheme - \\\w\w\w is not on its own
> partition.
> > </regex>
> > <description>Ignore dirs on / not being on their own
> > partition</description>
> > <group>rootcheck,</group>
> > </rule>
> >
> > Basically, can I use <regex> matching instead of exact <match> ?
> >
>
> You can breakup matched with the "|" character.
> <match>thing 1|thing2|thing3</match>
>
> >
> > Thanks
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
