subject:"Re\: \[ossec\-list\] Error reading XML file 'rules\/\/local_rules.xml'\: XMLERR\: String overflow. \(line 89\)"

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

2016-03-03 Thread Jesus Linares

Hi,

yes, a cdb list is what you need.

1. Create the list: /var/ossec/lists/allow_users.txt
$ cat allow_users
jesuslinares:
maxim:

2. Add the file to ossec.conf:


  
lists/allow_users

3. Compile the list
$ /var/ossec/bin/ossec-makelists


4. Use in your rules:
lists/allow_users


Example:


LOGIN
user '(\S+)'
user





ExampleLogin
authentication_success
LOGIN



authentication_success
Bad user



100011

*lists/allow_usersAllow 
user*



Regards.
Jesus Linares.



On Thursday, March 3, 2016 at 12:50:06 PM UTC+1, dan (ddpbsd) wrote:
>
>
> On Mar 3, 2016 6:30 AM, "Maxim Surdu"  
> wrote:
> >
> > is it a solution but can i create a list and a rule to read all my 
> list from the file, or something like this because now i have 300 clinets 
> but it can be more and it will not working more.
> >
>
> If that username isdecoded into a user field, you might be able to create 
> a cdb database and filter based on that.
>
> > thanks for your responsiveness
> >
> > joi, 3 martie 2016, 12:13:36 UTC+2, dan (ddpbsd) a scris:
> >>
> >>
> >> On Mar 3, 2016 4:18 AM, "Maxim Surdu"  wrote:
> >> >
> >> > Hi dear community,
> >> >
> >> > i install and configure about 10 agents, and of course i have a lot 
> of users,a part of this users are ftp Clients
> >> >
> >> > in policy-rules.xml 
> >> >
> >> > i have next rules
> >> >
> >> > 
> >> >   
> >> > authentication_success
> >> > 4 pm -  7 am
> >> > Successful login during non-business 
> hours.
> >> > login_time,
> >> >   
> >> >
> >> >   
> >> > authentication_success
> >> > weekends
> >> > Successful login during weekend.
> >> > login_day,
> >> >   
> >> >
> >> >
> >> >
> >> > OSSEC HIDS Notification.
> >> >
> >> > 2016 Mar 02 19:05:41
> >> >
> >> >  
> >> >
> >> > Received From: (host.xx.xx) xxx.xxx.xxx.xxx->/var/log/messages
> >> >
> >> > Rule: 17101 fired (level 9) -> "Successful login during non-business 
> hours."
> >> >
> >> > Portion of the log(s):
> >> >
> >> >  
> >> >
> >> > Mar  2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is 
> now logged in
> >> >
> >> >  
> >> >
> >> >  
> >> >
> >> >  
> >> >
> >> >  --END OF NOTIFICATION
> >> >
> >> >
> >> >
> >> >
> >> > transpor is username of my client
> >> >
> >> > and i add a rule to ignore alerts of  this users because they are 
> clients
> >> > in local_rules i create next rule to ignore "Successful login during 
> non-business hours" and "Successful login during weekend" for FTP clinets
> >> >
> >> > 
> >> > 
> >> > authentication_success
> >> > 4 pm - 7 am
> >> > Successful login during non-business 
> hours.
> >> > login_time,pci_dss_10.2.5,pci_dss_10.6.1,
> >> > 
> >> >
> >> > 
> >> > authentication_success
> >> > weekends
> >> > Successful login during weekend.
> >> > login_day,pci_dss_10.2.5,pci_dss_10.6.1,
> >> >   
> >> >
> >> >
> >> > 
> >> >   17101
> >> >transpor | client1 | client2 | client3 | ... | 
> client 50 
> >> >   Sesion open by  Client
> >> > 
> >> >
> >> > 
> >> >   17102
> >> > transpor | client1 | client2 | client3 | ... | 
> client 50 
> >> >   Sesion open by Client
> >> > 
> >> >
> >> >
> >> > because i have a lot of clients ossec give me error and not started, 
> how can manage or edit this rule ?
> >> >
> >>
> >> Have you tried to create multiple rules, each with only a portion of 
> the client list?
> >>
> >> > i appreciate your help, and a lot of respect for developers and 
> community!
> >> >
> >> > -- 
> >> >
> >> > --- 
> >> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send an email to ossec-list+...@googlegroups.com.
> >>
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

2016-03-03 Thread dan (ddp)

On Mar 3, 2016 6:30 AM, "Maxim Surdu"  wrote:
>
> is it a solution but can i create a list and a rule to read all my
list from the file, or something like this because now i have 300 clinets
but it can be more and it will not working more.
>

If that username isdecoded into a user field, you might be able to create a
cdb database and filter based on that.

> thanks for your responsiveness
>
> joi, 3 martie 2016, 12:13:36 UTC+2, dan (ddpbsd) a scris:
>>
>>
>> On Mar 3, 2016 4:18 AM, "Maxim Surdu"  wrote:
>> >
>> > Hi dear community,
>> >
>> > i install and configure about 10 agents, and of course i have a lot of
users,a part of this users are ftp Clients
>> >
>> > in policy-rules.xml
>> >
>> > i have next rules
>> >
>> > 
>> >   
>> > authentication_success
>> > 4 pm -  7 am
>> > Successful login during non-business
hours.
>> > login_time,
>> >   
>> >
>> >   
>> > authentication_success
>> > weekends
>> > Successful login during weekend.
>> > login_day,
>> >   
>> >
>> >
>> >
>> > OSSEC HIDS Notification.
>> >
>> > 2016 Mar 02 19:05:41
>> >
>> >
>> >
>> > Received From: (host.xx.xx) xxx.xxx.xxx.xxx->/var/log/messages
>> >
>> > Rule: 17101 fired (level 9) -> "Successful login during non-business
hours."
>> >
>> > Portion of the log(s):
>> >
>> >
>> >
>> > Mar  2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is
now logged in
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >  --END OF NOTIFICATION
>> >
>> >
>> >
>> >
>> > transpor is username of my client
>> >
>> > and i add a rule to ignore alerts of  this users because they are
clients
>> > in local_rules i create next rule to ignore "Successful login during
non-business hours" and "Successful login during weekend" for FTP clinets
>> >
>> > 
>> > 
>> > authentication_success
>> > 4 pm - 7 am
>> > Successful login during non-business
hours.
>> > login_time,pci_dss_10.2.5,pci_dss_10.6.1,
>> > 
>> >
>> > 
>> > authentication_success
>> > weekends
>> > Successful login during weekend.
>> > login_day,pci_dss_10.2.5,pci_dss_10.6.1,
>> >   
>> >
>> >
>> > 
>> >   17101
>> >transpor | client1 | client2 | client3 | ... |
client 50 
>> >   Sesion open by  Client
>> > 
>> >
>> > 
>> >   17102
>> > transpor | client1 | client2 | client3 | ... |
client 50 
>> >   Sesion open by Client
>> > 
>> >
>> >
>> > because i have a lot of clients ossec give me error and not started,
how can manage or edit this rule ?
>> >
>>
>> Have you tried to create multiple rules, each with only a portion of the
client list?
>>
>> > i appreciate your help, and a lot of respect for developers and
community!
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
an email to ossec-list+...@googlegroups.com.
>>
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

2016-03-03 Thread Maxim Surdu

is it a solution but can i create a list and a rule to read all my 
list from the file, or something like this because now i have 300 clinets 
but it can be more and it will not working more.

thanks for your responsiveness

joi, 3 martie 2016, 12:13:36 UTC+2, dan (ddpbsd) a scris:
>
>
> On Mar 3, 2016 4:18 AM, "Maxim Surdu"  
> wrote:
> >
> > Hi dear community,
> >
> > i install and configure about 10 agents, and of course i have a lot of 
> users,a part of this users are ftp Clients
> >
> > in policy-rules.xml 
> >
> > i have next rules
> >
> > 
> >   
> > authentication_success
> > 4 pm -  7 am
> > Successful login during non-business 
> hours.
> > login_time,
> >   
> >
> >   
> > authentication_success
> > weekends
> > Successful login during weekend.
> > login_day,
> >   
> >
> >
> >
> > OSSEC HIDS Notification.
> >
> > 2016 Mar 02 19:05:41
> >
> >  
> >
> > Received From: (host.xx.xx) xxx.xxx.xxx.xxx->/var/log/messages
> >
> > Rule: 17101 fired (level 9) -> "Successful login during non-business 
> hours."
> >
> > Portion of the log(s):
> >
> >  
> >
> > Mar  2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is 
> now logged in
> >
> >  
> >
> >  
> >
> >  
> >
> >  --END OF NOTIFICATION
> >
> >
> >
> >
> > transpor is username of my client
> >
> > and i add a rule to ignore alerts of  this users because they are clients
> > in local_rules i create next rule to ignore "Successful login during 
> non-business hours" and "Successful login during weekend" for FTP clinets
> >
> > 
> > 
> > authentication_success
> > 4 pm - 7 am
> > Successful login during non-business 
> hours.
> > login_time,pci_dss_10.2.5,pci_dss_10.6.1,
> > 
> >
> > 
> > authentication_success
> > weekends
> > Successful login during weekend.
> > login_day,pci_dss_10.2.5,pci_dss_10.6.1,
> >   
> >
> >
> > 
> >   17101
> >transpor | client1 | client2 | client3 | ... | client 
> 50 
> >   Sesion open by  Client
> > 
> >
> > 
> >   17102
> > transpor | client1 | client2 | client3 | ... | client 
> 50 
> >   Sesion open by Client
> > 
> >
> >
> > because i have a lot of clients ossec give me error and not started, how 
> can manage or edit this rule ?
> >
>
> Have you tried to create multiple rules, each with only a portion of the 
> client list?
>
> > i appreciate your help, and a lot of respect for developers and 
> community!
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

2016-03-03 Thread dan (ddp)

On Mar 3, 2016 4:18 AM, "Maxim Surdu"  wrote:
>
> Hi dear community,
>
> i install and configure about 10 agents, and of course i have a lot of
users,a part of this users are ftp Clients
>
> in policy-rules.xml
>
> i have next rules
>
> 
>   
> authentication_success
> 4 pm -  7 am
> Successful login during non-business hours.
> login_time,
>   
>
>   
> authentication_success
> weekends
> Successful login during weekend.
> login_day,
>   
>
>
>
> OSSEC HIDS Notification.
>
> 2016 Mar 02 19:05:41
>
>
>
> Received From: (host.xx.xx) xxx.xxx.xxx.xxx->/var/log/messages
>
> Rule: 17101 fired (level 9) -> "Successful login during non-business
hours."
>
> Portion of the log(s):
>
>
>
> Mar  2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is now
logged in
>
>
>
>
>
>
>
>  --END OF NOTIFICATION
>
>
>
>
> transpor is username of my client
>
> and i add a rule to ignore alerts of  this users because they are clients
> in local_rules i create next rule to ignore "Successful login during
non-business hours" and "Successful login during weekend" for FTP clinets
>
> 
> 
> authentication_success
> 4 pm - 7 am
> Successful login during non-business
hours.
> login_time,pci_dss_10.2.5,pci_dss_10.6.1,
> 
>
> 
> authentication_success
> weekends
> Successful login during weekend.
> login_day,pci_dss_10.2.5,pci_dss_10.6.1,
>   
>
>
> 
>   17101
>transpor | client1 | client2 | client3 | ... | client
50 
>   Sesion open by  Client
> 
>
> 
>   17102
> transpor | client1 | client2 | client3 | ... | client
50 
>   Sesion open by Client
> 
>
>
> because i have a lot of clients ossec give me error and not started, how
can manage or edit this rule ?
>

Have you tried to create multiple rules, each with only a portion of the
client list?

> i appreciate your help, and a lot of respect for developers and community!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)

4 matches

Site Navigation

Mail list logo

Footer information