On Thu, Apr 5, 2018 at 6:39 PM, Cooper <coopertg...@gmail.com> wrote:
> Do I need to leave those rule ID's as they were?  I'm guessing overwrite
> means that they overrule the other rule's with the same ID's?
>

Looks like you fixed it, but an answer on the list might help someone else.
Overwrite does what it says, it overrides another rule.

The OSSEC provided rules files will be overwritten during an upgrade,
so to allow users to change those rules the overwrite option was
added.
A rule in local_rules.xml with the overwrite option will be used
instead of the rule with that same ID in another rule file.

>
> On Thursday, April 5, 2018 at 4:34:03 PM UTC-6, Cooper wrote:
>>
>> Well that helped with the duplicate rule errors, so thank you for that!
>> Now I am getting an overwrite rule error:
>>
>> 2018/04/05 17:30:17 ossec-analysisd: Overwrite rule '120028' not found.
>> 2018/04/05 17:30:17 ossec-testrule(1220): ERROR: Error loading the rules:
>> 'local_rules.xml'.
>>
>> Here is the rule it is referencing (there are several after it that I'm
>> sure will error out as well):
>>
>> <group name="local,syslog,">
>>   <rule id="120028" level="0" overwrite="yes">
>>     <decoded_as>ar_log</decoded_as>
>>     <description>Active Response Custom Messages Grouped</description>
>>     <group>active_response,</group>
>>   </rule>
>>
>>
>> On Thursday, April 5, 2018 at 2:00:22 PM UTC-6, Cooper wrote:
>>>
>>> Oh interesting! I assumed it was "unique" to that rule file. I'll try
>>> re-IDing them and see what happens.
>>>
>>> On Thu, Apr 5, 2018 at 1:36 PM dan (ddp) <ddp...@gmail.com> wrote:
>>>>
>>>> On Thu, Apr 5, 2018 at 11:04 AM, Cooper
>>>> > Here's the rule from the error:
>>>> >
>>>> > <group name="syslog,access_control,">
>>>> >   <rule id="2501" level="0">
>>>> >     <match> esm</match>
>>>> >     <group>authentication_failed,</group>
>>>> >     <description>User authentication failure.</description>
>>>> >   </rule>
>>>> > </group>
>>>> >
>>>> > If I comment it out, it just says the next rule is a duplicate, and so
>>>> > on
>>>> > and so on.  None are overwrite rules.
>>>> >
>>>>
>>>> Here's rule 2501 in OSSEC
>>>>
>>>> (https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130):
>>>> <group name="syslog,access_control,">
>>>>   <rule id="2501" level="5">
>>>>   <match>FAILED LOGIN |authentication failure|</match>
>>>>   <match>Authentication failed for|invalid password for|</match>
>>>>   <match>LOGIN FAILURE|auth failure: |authentication error|</match>
>>>>   <match>authinternal failed|Failed to authorize|</match>
>>>>   <match>Wrong password given for|login failed|Auth: Login
>>>> incorrect|</match>
>>>>   <match>Failed to authenticate user</match>
>>>>   <group>authentication_failed,</group>
>>>>   <description>User authentication failure.</description>
>>>> </rule>
>>>>
>>>> So it looks like the custom rules implemented in your environment are
>>>> using the ID ranges used by the project.
>>>> I think rule id 100000+ are reserved for custom rules.
>>>> Anything below that could be used by the project at any time, possibly
>>>> conflicting with custom rules using the wrong ranges.
>>>>
>>>> > On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote:
>>>> >>
>>>> >>
>>>> >>
>>>> >> On Wed, Apr 4, 2018, 8:56 PM Cooper <coope...@gmail.com> wrote:
>>>> >>>
>>>> >>> Sorry Dan, I'm horribly new to managing ossec (yesterday).  How
>>>> >>> would I
>>>> >>> know that?
>>>> >>
>>>> >>
>>>> >> Look for 'overwrite="yes"' in the rule.
>>>> >>
>>>> >>
>>>> >>>
>>>> >>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote:
>>>> >>>>
>>>> >>>>
>>>> >>>>
>>>> >>>> On Wed, Apr 4, 2018, 8:50 PM Cooper <coope...@gmail.com> wrote:
>>>> >>>>>
>>>> >>>>> When trying to start our new 2.9.3 ossec server, i receive the
>>>> >>>>> following error:
>>>> >>>>>
>>>> >>>>> 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501
>>>> >>>>> 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the
>>>> >>>>> rules: 'local_rules.xml'.
>>>> >>>>>
>>>> >>>>> However, inside local_rules, there's only one rule with an ID of
>>>> >>>>> 2501.
>>>> >>>>> If I comment out that rule, it just says that the next rule is a
>>>> >>>>> duplicate.
>>>> >>>>> These rules are being migrated from a working 2.7.2 install.
>>>> >>>>> Anyone run
>>>> >>>>> into this before?
>>>> >>>>
>>>> >>>>
>>>> >>>>
>>>> >>>> Are these overwrite rules?
>>>> >>>>
>>>> >>>>> --
>>>> >>>>>
>>>> >>>>> ---
>>>> >>>>> You received this message because you are subscribed to the Google
>>>> >>>>> Groups "ossec-list" group.
>>>> >>>>> To unsubscribe from this group and stop receiving emails from it,
>>>> >>>>> send
>>>> >>>>> an email to ossec-list+...@googlegroups.com.
>>>> >>>>> For more options, visit https://groups.google.com/d/optout.
>>>> >>>
>>>> >>> --
>>>> >>>
>>>> >>> ---
>>>> >>> You received this message because you are subscribed to the Google
>>>> >>> Groups
>>>> >>> "ossec-list" group.
>>>> >>> To unsubscribe from this group and stop receiving emails from it,
>>>> >>> send an
>>>> >>> email to ossec-list+...@googlegroups.com.
>>>> >>> For more options, visit https://groups.google.com/d/optout.
>>>> >
>>>> > --
>>>> >
>>>> > ---
>>>> > You received this message because you are subscribed to the Google
>>>> > Groups
>>>> > "ossec-list" group.
>>>> > To unsubscribe from this group and stop receiving emails from it, send
>>>> > an
>>>> > email to ossec-list+unsubscr...@googlegroups.com.
>>>> > For more options, visit https://groups.google.com/d/optout.
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to ossec-list+unsubscr...@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to