Hello,
I simply want to test the rule for DDOS Attack,which is discussed
previously:
local_rules.xml:
<group name="attack,">
<rule id="200000" level="15" timeframe="300" frequency="3">
<if_matched_group>attacks|attack|automatic_attack</if_matched_group>
<same_source_ip />
<description>Attacks from same source IP</description>
</rule>
</group>
But this is not working. I get errors while adding this new rule.
What is the possible solution for making this rule work?
On Wednesday, August 23, 2017 at 5:46:17 PM UTC+5:30, dan (ddpbsd) wrote:
>
>
>
> On Aug 23, 2017 6:18 AM, "Ritu Soni" <[email protected] <javascript:>>
> wrote:
>
> Hello,
> My work requirement is that OSSEC should generate an alert " Attack
> Detected " ,when the request from same ip address is received by the server
> for 3 or more times within 300 seconds.
> I have done changes in syslog_rules.xml file:
> *<rule id="1002" level="2" time_frame="300" frequency="3">*
> * <if_matched_group>attacks|attack|automatic_attack</if_matched_group>*
> * <options>alert_by_email</options>*
> * <description>DDOS Attack Detected</description>*
> * </rule>*
> But when i restart OSSEC,it generates an error msg:
> *OSSEC analysisd: Testing rules failed. Configuration error. Exiting*.
>
> Are these changes made correct?if not, please suggest the changes to
> achieve the same.
>
>
>
> I don't see anything obviously incorrect with the changes. I'm not sure
> if_matched_group accepts multiple groups, or if they are pipe delimited
> though. Getting the actual errors (from logtest -t or the ossec.log) might
> help.
>
> Stylistically though, modifying the rules files (except local_rules.xml)
> is a bad idea. Changes will be overwritten during updates. Also, I consider
> rule 1002 to be very important, and changing it isn't something I
> encourage.
>
>
>
> On Monday, August 21, 2017 at 10:43:53 PM UTC+5:30, dan (ddpbsd) wrote:
>
>>
>>
>> On Aug 21, 2017 1:07 PM, "Ritu Soni" <[email protected]> wrote:
>>
>> Hey,
>> When i perform any changes to xml files, ossec stopped working.
>> should i use ''make" command for those changes to work or any other
>> command after performing the changes ?
>>
>>
>>
>> You can run `ossec-logtest -t` to test your changes before reatarting
>> ossec. If there are issues, it should display error messages.
>>
>>
>>>
>>
>> On Monday, August 21, 2017 at 10:25:45 PM UTC+5:30, dan (ddpbsd) wrote:
>>>
>>>
>>>
>>> On Aug 21, 2017 12:54 PM, "Ritu Soni" <[email protected]> wrote:
>>>
>>> hello,
>>> I have installed OSSEC on UBUNTU server.
>>> I want to perform changes in OSSEC rules, so that it can detect an
>>> attack and display an alert like "DDOS Attack".
>>> Is it possible to perform changes in rules of OSSEC using xml files?
>>> What could be the possible method for this, please guide me.
>>>
>>>
>>> Local additiona or changes to the rules can be done in
>>> /var/ossec/rules/local_rules.xml
>>>
>>>
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>>
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected] <javascript:>.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
