Do I need to leave those rule ID's as they were? I'm guessing overwrite means that they overrule the other rule's with the same ID's?
On Thursday, April 5, 2018 at 4:34:03 PM UTC-6, Cooper wrote: > > Well that helped with the duplicate rule errors, so thank you for that! > Now I am getting an overwrite rule error: > > 2018/04/05 17:30:17 ossec-analysisd: Overwrite rule '120028' not found. > 2018/04/05 17:30:17 ossec-testrule(1220): ERROR: Error loading the rules: > 'local_rules.xml'. > > Here is the rule it is referencing (there are several after it that I'm > sure will error out as well): > > <group name="local,syslog,"> > <rule id="120028" level="0" overwrite="yes"> > <decoded_as>ar_log</decoded_as> > <description>Active Response Custom Messages Grouped</description> > <group>active_response,</group> > </rule> > > > On Thursday, April 5, 2018 at 2:00:22 PM UTC-6, Cooper wrote: >> >> Oh interesting! I assumed it was "unique" to that rule file. I'll try >> re-IDing them and see what happens. >> >> On Thu, Apr 5, 2018 at 1:36 PM dan (ddp) <ddp...@gmail.com> wrote: >> >>> On Thu, Apr 5, 2018 at 11:04 AM, Cooper >>> > Here's the rule from the error: >>> > >>> > <group name="syslog,access_control,"> >>> > <rule id="2501" level="0"> >>> > <match> esm</match> >>> > <group>authentication_failed,</group> >>> > <description>User authentication failure.</description> >>> > </rule> >>> > </group> >>> > >>> > If I comment it out, it just says the next rule is a duplicate, and so >>> on >>> > and so on. None are overwrite rules. >>> > >>> >>> Here's rule 2501 in OSSEC >>> ( >>> https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130 >>> ): >>> <group name="syslog,access_control,"> >>> <rule id="2501" level="5"> >>> <match>FAILED LOGIN |authentication failure|</match> >>> <match>Authentication failed for|invalid password for|</match> >>> <match>LOGIN FAILURE|auth failure: |authentication error|</match> >>> <match>authinternal failed|Failed to authorize|</match> >>> <match>Wrong password given for|login failed|Auth: Login >>> incorrect|</match> >>> <match>Failed to authenticate user</match> >>> <group>authentication_failed,</group> >>> <description>User authentication failure.</description> >>> </rule> >>> >>> So it looks like the custom rules implemented in your environment are >>> using the ID ranges used by the project. >>> I think rule id 100000+ are reserved for custom rules. >>> Anything below that could be used by the project at any time, possibly >>> conflicting with custom rules using the wrong ranges. >>> >>> > On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote: >>> >> >>> >> >>> >> >>> >> On Wed, Apr 4, 2018, 8:56 PM Cooper <coope...@gmail.com> wrote: >>> >>> >>> >>> Sorry Dan, I'm horribly new to managing ossec (yesterday). How >>> would I >>> >>> know that? >>> >> >>> >> >>> >> Look for 'overwrite="yes"' in the rule. >>> >> >>> >> >>> >>> >>> >>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote: >>> >>>> >>> >>>> >>> >>>> >>> >>>> On Wed, Apr 4, 2018, 8:50 PM Cooper <coope...@gmail.com> wrote: >>> >>>>> >>> >>>>> When trying to start our new 2.9.3 ossec server, i receive the >>> >>>>> following error: >>> >>>>> >>> >>>>> 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501 >>> >>>>> 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the >>> >>>>> rules: 'local_rules.xml'. >>> >>>>> >>> >>>>> However, inside local_rules, there's only one rule with an ID of >>> 2501. >>> >>>>> If I comment out that rule, it just says that the next rule is a >>> duplicate. >>> >>>>> These rules are being migrated from a working 2.7.2 install. >>> Anyone run >>> >>>>> into this before? >>> >>>> >>> >>>> >>> >>>> >>> >>>> Are these overwrite rules? >>> >>>> >>> >>>>> -- >>> >>>>> >>> >>>>> --- >>> >>>>> You received this message because you are subscribed to the Google >>> >>>>> Groups "ossec-list" group. >>> >>>>> To unsubscribe from this group and stop receiving emails from it, >>> send >>> >>>>> an email to ossec-list+...@googlegroups.com. >>> >>>>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> >>> -- >>> >>> >>> >>> --- >>> >>> You received this message because you are subscribed to the Google >>> Groups >>> >>> "ossec-list" group. >>> >>> To unsubscribe from this group and stop receiving emails from it, >>> send an >>> >>> email to ossec-list+...@googlegroups.com. >>> >>> For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to ossec-list+unsubscr...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
