Well that helped with the duplicate rule errors, so thank you for that!
Now I am getting an overwrite rule error:
2018/04/05 17:30:17 ossec-analysisd: Overwrite rule '120028' not found.
2018/04/05 17:30:17 ossec-testrule(1220): ERROR: Error loading the rules:
'local_rules.xml'.
Here is the rule it is referencing (there are several after it that I'm
sure will error out as well):
<group name="local,syslog,">
<rule id="120028" level="0" overwrite="yes">
<decoded_as>ar_log</decoded_as>
<description>Active Response Custom Messages Grouped</description>
<group>active_response,</group>
</rule>
On Thursday, April 5, 2018 at 2:00:22 PM UTC-6, Cooper wrote:
>
> Oh interesting! I assumed it was "unique" to that rule file. I'll try
> re-IDing them and see what happens.
>
> On Thu, Apr 5, 2018 at 1:36 PM dan (ddp) <[email protected]> wrote:
>
>> On Thu, Apr 5, 2018 at 11:04 AM, Cooper
>> > Here's the rule from the error:
>> >
>> > <group name="syslog,access_control,">
>> > <rule id="2501" level="0">
>> > <match> esm</match>
>> > <group>authentication_failed,</group>
>> > <description>User authentication failure.</description>
>> > </rule>
>> > </group>
>> >
>> > If I comment it out, it just says the next rule is a duplicate, and so
>> on
>> > and so on. None are overwrite rules.
>> >
>>
>> Here's rule 2501 in OSSEC
>> (
>> https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130
>> ):
>> <group name="syslog,access_control,">
>> <rule id="2501" level="5">
>> <match>FAILED LOGIN |authentication failure|</match>
>> <match>Authentication failed for|invalid password for|</match>
>> <match>LOGIN FAILURE|auth failure: |authentication error|</match>
>> <match>authinternal failed|Failed to authorize|</match>
>> <match>Wrong password given for|login failed|Auth: Login
>> incorrect|</match>
>> <match>Failed to authenticate user</match>
>> <group>authentication_failed,</group>
>> <description>User authentication failure.</description>
>> </rule>
>>
>> So it looks like the custom rules implemented in your environment are
>> using the ID ranges used by the project.
>> I think rule id 100000+ are reserved for custom rules.
>> Anything below that could be used by the project at any time, possibly
>> conflicting with custom rules using the wrong ranges.
>>
>> > On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote:
>> >>
>> >>
>> >>
>> >> On Wed, Apr 4, 2018, 8:56 PM Cooper <[email protected]> wrote:
>> >>>
>> >>> Sorry Dan, I'm horribly new to managing ossec (yesterday). How would
>> I
>> >>> know that?
>> >>
>> >>
>> >> Look for 'overwrite="yes"' in the rule.
>> >>
>> >>
>> >>>
>> >>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote:
>> >>>>
>> >>>>
>> >>>>
>> >>>> On Wed, Apr 4, 2018, 8:50 PM Cooper <[email protected]> wrote:
>> >>>>>
>> >>>>> When trying to start our new 2.9.3 ossec server, i receive the
>> >>>>> following error:
>> >>>>>
>> >>>>> 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501
>> >>>>> 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the
>> >>>>> rules: 'local_rules.xml'.
>> >>>>>
>> >>>>> However, inside local_rules, there's only one rule with an ID of
>> 2501.
>> >>>>> If I comment out that rule, it just says that the next rule is a
>> duplicate.
>> >>>>> These rules are being migrated from a working 2.7.2 install.
>> Anyone run
>> >>>>> into this before?
>> >>>>
>> >>>>
>> >>>>
>> >>>> Are these overwrite rules?
>> >>>>
>> >>>>> --
>> >>>>>
>> >>>>> ---
>> >>>>> You received this message because you are subscribed to the Google
>> >>>>> Groups "ossec-list" group.
>> >>>>> To unsubscribe from this group and stop receiving emails from it,
>> send
>> >>>>> an email to [email protected].
>> >>>>> For more options, visit https://groups.google.com/d/optout.
>> >>>
>> >>> --
>> >>>
>> >>> ---
>> >>> You received this message because you are subscribed to the Google
>> Groups
>> >>> "ossec-list" group.
>> >>> To unsubscribe from this group and stop receiving emails from it,
>> send an
>> >>> email to [email protected].
>> >>> For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/d/optout.
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
