On Thu, Apr 5, 2018 at 11:04 AM, Cooper <[email protected]> wrote: > Here's the rule from the error: > > <group name="syslog,access_control,"> > <rule id="2501" level="0"> > <match> esm</match> > <group>authentication_failed,</group> > <description>User authentication failure.</description> > </rule> > </group> > > If I comment it out, it just says the next rule is a duplicate, and so on > and so on. None are overwrite rules. >
Here's rule 2501 in OSSEC (https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130): <group name="syslog,access_control,"> <rule id="2501" level="5"> <match>FAILED LOGIN |authentication failure|</match> <match>Authentication failed for|invalid password for|</match> <match>LOGIN FAILURE|auth failure: |authentication error|</match> <match>authinternal failed|Failed to authorize|</match> <match>Wrong password given for|login failed|Auth: Login incorrect|</match> <match>Failed to authenticate user</match> <group>authentication_failed,</group> <description>User authentication failure.</description> </rule> So it looks like the custom rules implemented in your environment are using the ID ranges used by the project. I think rule id 100000+ are reserved for custom rules. Anything below that could be used by the project at any time, possibly conflicting with custom rules using the wrong ranges. > On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote: >> >> >> >> On Wed, Apr 4, 2018, 8:56 PM Cooper <[email protected]> wrote: >>> >>> Sorry Dan, I'm horribly new to managing ossec (yesterday). How would I >>> know that? >> >> >> Look for 'overwrite="yes"' in the rule. >> >> >>> >>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote: >>>> >>>> >>>> >>>> On Wed, Apr 4, 2018, 8:50 PM Cooper <[email protected]> wrote: >>>>> >>>>> When trying to start our new 2.9.3 ossec server, i receive the >>>>> following error: >>>>> >>>>> 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501 >>>>> 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the >>>>> rules: 'local_rules.xml'. >>>>> >>>>> However, inside local_rules, there's only one rule with an ID of 2501. >>>>> If I comment out that rule, it just says that the next rule is a >>>>> duplicate. >>>>> These rules are being migrated from a working 2.7.2 install. Anyone run >>>>> into this before? >>>> >>>> >>>> >>>> Are these overwrite rules? >>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
