Look to be all set now. Thanks for your help, Dan! Starting OSSEC HIDS 2.9.3 (by Trend Micro Inc.)...
Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed. On Thursday, April 5, 2018 at 4:39:50 PM UTC-6, Cooper wrote: > > Do I need to leave those rule ID's as they were? I'm guessing overwrite > means that they overrule the other rule's with the same ID's? > > On Thursday, April 5, 2018 at 4:34:03 PM UTC-6, Cooper wrote: >> >> Well that helped with the duplicate rule errors, so thank you for that! >> Now I am getting an overwrite rule error: >> >> 2018/04/05 17:30:17 ossec-analysisd: Overwrite rule '120028' not found. >> 2018/04/05 17:30:17 ossec-testrule(1220): ERROR: Error loading the rules: >> 'local_rules.xml'. >> >> Here is the rule it is referencing (there are several after it that I'm >> sure will error out as well): >> >> <group name="local,syslog,"> >> <rule id="120028" level="0" overwrite="yes"> >> <decoded_as>ar_log</decoded_as> >> <description>Active Response Custom Messages Grouped</description> >> <group>active_response,</group> >> </rule> >> >> >> On Thursday, April 5, 2018 at 2:00:22 PM UTC-6, Cooper wrote: >>> >>> Oh interesting! I assumed it was "unique" to that rule file. I'll try >>> re-IDing them and see what happens. >>> >>> On Thu, Apr 5, 2018 at 1:36 PM dan (ddp) <[email protected]> wrote: >>> >>>> On Thu, Apr 5, 2018 at 11:04 AM, Cooper >>>> > Here's the rule from the error: >>>> > >>>> > <group name="syslog,access_control,"> >>>> > <rule id="2501" level="0"> >>>> > <match> esm</match> >>>> > <group>authentication_failed,</group> >>>> > <description>User authentication failure.</description> >>>> > </rule> >>>> > </group> >>>> > >>>> > If I comment it out, it just says the next rule is a duplicate, and >>>> so on >>>> > and so on. None are overwrite rules. >>>> > >>>> >>>> Here's rule 2501 in OSSEC >>>> ( >>>> https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130 >>>> ): >>>> <group name="syslog,access_control,"> >>>> <rule id="2501" level="5"> >>>> <match>FAILED LOGIN |authentication failure|</match> >>>> <match>Authentication failed for|invalid password for|</match> >>>> <match>LOGIN FAILURE|auth failure: |authentication error|</match> >>>> <match>authinternal failed|Failed to authorize|</match> >>>> <match>Wrong password given for|login failed|Auth: Login >>>> incorrect|</match> >>>> <match>Failed to authenticate user</match> >>>> <group>authentication_failed,</group> >>>> <description>User authentication failure.</description> >>>> </rule> >>>> >>>> So it looks like the custom rules implemented in your environment are >>>> using the ID ranges used by the project. >>>> I think rule id 100000+ are reserved for custom rules. >>>> Anything below that could be used by the project at any time, possibly >>>> conflicting with custom rules using the wrong ranges. >>>> >>>> > On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote: >>>> >> >>>> >> >>>> >> >>>> >> On Wed, Apr 4, 2018, 8:56 PM Cooper <[email protected]> wrote: >>>> >>> >>>> >>> Sorry Dan, I'm horribly new to managing ossec (yesterday). How >>>> would I >>>> >>> know that? >>>> >> >>>> >> >>>> >> Look for 'overwrite="yes"' in the rule. >>>> >> >>>> >> >>>> >>> >>>> >>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Wed, Apr 4, 2018, 8:50 PM Cooper <[email protected]> wrote: >>>> >>>>> >>>> >>>>> When trying to start our new 2.9.3 ossec server, i receive the >>>> >>>>> following error: >>>> >>>>> >>>> >>>>> 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501 >>>> >>>>> 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the >>>> >>>>> rules: 'local_rules.xml'. >>>> >>>>> >>>> >>>>> However, inside local_rules, there's only one rule with an ID of >>>> 2501. >>>> >>>>> If I comment out that rule, it just says that the next rule is a >>>> duplicate. >>>> >>>>> These rules are being migrated from a working 2.7.2 install. >>>> Anyone run >>>> >>>>> into this before? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> Are these overwrite rules? >>>> >>>> >>>> >>>>> -- >>>> >>>>> >>>> >>>>> --- >>>> >>>>> You received this message because you are subscribed to the Google >>>> >>>>> Groups "ossec-list" group. >>>> >>>>> To unsubscribe from this group and stop receiving emails from it, >>>> send >>>> >>>>> an email to [email protected]. >>>> >>>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>>> >>> -- >>>> >>> >>>> >>> --- >>>> >>> You received this message because you are subscribed to the Google >>>> Groups >>>> >>> "ossec-list" group. >>>> >>> To unsubscribe from this group and stop receiving emails from it, >>>> send an >>>> >>> email to [email protected]. >>>> >>> For more options, visit https://groups.google.com/d/optout. >>>> > >>>> > -- >>>> > >>>> > --- >>>> > You received this message because you are subscribed to the Google >>>> Groups >>>> > "ossec-list" group. >>>> > To unsubscribe from this group and stop receiving emails from it, >>>> send an >>>> > email to [email protected]. >>>> > For more options, visit https://groups.google.com/d/optout. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
