Turn off rule?
1,484 views
Skip to first unread message
Michael Barrett
Mar 15, 2012, 11:42:14 AM3/15/12
to ossec...@googlegroups.com
Is there a way to configure the ossec agent to ignore specific windows events? I have an application that is mis-behaving and its creating ossec alerts for multiple windows events
Rule: 18154 (level 10) -> 'Multiple Windows error events.'
Can I configure OSSEC agent to eliminate rule 18154?
____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael...@MGIC.com
This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.
dan (ddp)
Mar 15, 2012, 11:46:29 AM3/15/12
to ossec...@googlegroups.com
You can generally create rules to ignore logs you don't care about. In
the case of 18154, you should look at the collected log messages and
create rules to ignore the individual ones you don't want to see. If
you keep them from firing 18103 alerts, then 18154 won't be triggered.
the case of 18154, you should look at the collected log messages and
create rules to ignore the individual ones you don't want to see. If
you keep them from firing 18103 alerts, then 18154 won't be triggered.
Thomas Bartos
Mar 15, 2012, 12:09:15 PM3/15/12
to ossec...@googlegroups.com
Hi Michael
I have a rule limiting alerts on 18154 events inside my local_rules.xml file
<rule id="101013" level="7" frequency="4" timeframe="1600">
<if_matched_sid>18154</if_matched_sid>
<match>WinEvtLog: System: ERROR(13): NPS:</match>
<description>turn down the noise on this event</description>
</rule>
My understanding is that this rule will generate an email (level 7) after more than 4 matching events, and will not send more than one alert every 1600 seconds.
http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf
Read the section on Understanding rules of this doc it helped me a lot to grasp alert filtering.
I'm still new to this. If someone sees an error with my rule, I don't mind if you point out the error of my ways...
cheers
-tom
Michael Barrett
Mar 16, 2012, 10:40:34 AM3/16/12
to ossec...@googlegroups.com
I tried the rule change below and got an error when I tried to start ossec.
-bash-3.2# /etc/init.d/ossec-hids start
Starting ossec-hids: 2012/03/16 09:37:46 ossec-testrule: INFO: Reading local dec oder file.
2012/03/16 09:37:46 rules_op: Invalid root element "rule".Only "group" is allowe d
2012/03/16 09:37:46 ossec-testrule(1220): ERROR: Error loading the rules: 'local _rules.xml'.
2012/03/16 09:37:46 ossec-maild: INFO: E-Mail notification disabled. Clean Exit.
2012/03/16 09:37:46 ossec-logcollector(1905): INFO: No file configured to monito r.
2012/03/16 09:37:49 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/ queue' not accessible: 'Connection refused'.
2012/03/16 09:37:49 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/ queue' not accessible: 'Connection refused'.
Then I tried the example from the book to disable the rule altogether and got the same error
Here is the file, can someone tell me what I did wrong please?
-bash-3.2# cat local_rules.xml.filter
<!-- @(#) $Id$
- Example of local rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
- All rights reserved.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
-->
<rule id="101013" level="0">
<if_sid>18154</if_sid>
<description>turn
down the noise on this event</description>
</rule>
<!-- Modify it at your will. -->
</rule>
<group name="local,syslog,">
<!-- Note that rule id 5711 is defined at the ssh_rules file
- as a ssh failed login. This is just an example
- since ip 1.1.1.1 shouldn't be used anywhere.
- Level 0 means ignore.
-->
<rule id="100001" level="0">
<if_sid>5711</if_sid>
<srcip>1.1.1.1</srcip>
<description>Example of rule that will ignore sshd </description>
<description>failed logins from IP 1.1.1.1.</description>
</rule>
<!-- This example will ignore ssh failed logins for the user name XYZABC.
-->
<!--
<rule id="100020" level="0">
<if_sid>5711</if_sid>
<user>XYZABC</user>
<description>Example of rule that will ignore sshd </description>
<description>failed logins for user XYZABC.</description>
</rule>
-->
<!-- Specify here a list of rules to ignore. -->
<!--
<rule id="100030" level="0">
<if_sid>12345, 23456, xyz, abc</if_sid>
<description>List of rules to be ignored.</description>
</rule>
-->
<rule id="101013" level="7" frequency="4" timeframe="1600">
<if_matched_sid>18154</if_matched_sid>
<description>turn
down the noise on this event</description>
</rule>
</group> <!-- SYSLOG,LOCAL
-->
</rule>
<!-- EOF -->
____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael...@MGIC.com
This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael...@MGIC.com
This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.
| From: | Thomas Bartos <tba...@boardvantage.com> |
| To: | ossec...@googlegroups.com |
| Date: | 03/15/2012 11:15 AM |
| Subject: | Re: [ossec-list] Turn off rule? |
| Sent by: | ossec...@googlegroups.com |
dan (ddp)
Mar 16, 2012, 10:52:47 AM3/16/12
to ossec...@googlegroups.com
On Fri, Mar 16, 2012 at 10:40 AM, Michael Barrett <Michael...@mgic.com> wrote:
I tried the rule change below and got an error when I tried to start ossec.
-bash-3.2# /etc/init.d/ossec-hids start
Starting ossec-hids: 2012/03/16 09:37:46 ossec-testrule: INFO: Reading local dec oder file.
2012/03/16 09:37:46 rules_op: Invalid root element "rule".Only "group" is allowe d
^^^^^
2012/03/16 09:37:46 ossec-testrule(1220): ERROR: Error loading the rules: 'local _rules.xml'.
2012/03/16 09:37:46 ossec-maild: INFO: E-Mail notification disabled. Clean Exit.
2012/03/16 09:37:46 ossec-logcollector(1905): INFO: No file configured to monito r.
2012/03/16 09:37:49 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/ queue' not accessible: 'Connection refused'.
2012/03/16 09:37:49 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/ queue' not accessible: 'Connection refused'.
Then I tried the example from the book to disable the rule altogether and got the same error
Here is the file, can someone tell me what I did wrong please?
-bash-3.2# cat local_rules.xml.filter
<!-- @(#) $Id$
- Example of local rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
- All rights reserved.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
-->
<group name="local,">
<rule id="101013" level="0">
<if_sid>18154</if_sid><description>turn down the noise on this event</description><!-- Modify it at your will. -->
</rule>
<!--
<group name="local,syslog,">
-->
Michael Barrett
Mar 16, 2012, 11:36:25 AM3/16/12
to ossec...@googlegroups.com
Dan
Did you mean to reply with no comment?
dan (ddp)
Mar 16, 2012, 12:31:22 PM3/16/12
to ossec...@googlegroups.com
My comments show up in my copy and the web copy.
Michael Barrett
Mar 16, 2012, 3:35:03 PM3/16/12
to ossec...@googlegroups.com
There is a web copy? Is that like a site with the discussion threads in it?
What's the url?
____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael...@MGIC.com
This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.
| From: | "dan (ddp)" <ddp...@gmail.com> |
| To: | ossec...@googlegroups.com |
| Date: | 03/16/2012 11:32 AM |
| Subject: | Re: [ossec-list] Turn off rule? |
| Sent by: | ossec...@googlegroups.com |
dan (ddp)
Mar 16, 2012, 4:00:56 PM3/16/12
to ossec...@googlegroups.com
On Fri, Mar 16, 2012 at 3:37 PM, Michael Barrett
<Michael...@mgic.com> wrote:
>
>
> I think your reply got corrupted in my email server? Was it here where
> the red box is?
>
<Michael...@mgic.com> wrote:
>
>
> I think your reply got corrupted in my email server? Was it here where
> the red box is?
>
That wasn't a corruption, it was pointing out the error in the log
messages you posted. It was meant as a hint. I also (probably) fixed
the config for you further down the email.
Instead of dragging this out more though, rules need to be in groups.
The rule at the top of your rule file was not inside of the <group
name="whatever"> tag, it was all by itself. The error message I tried
to draw attention to pointed that out.
dan (ddp)
Mar 16, 2012, 3:58:53 PM3/16/12
to ossec...@googlegroups.com
On Fri, Mar 16, 2012 at 3:35 PM, Michael Barrett
<Michael...@mgic.com> wrote:
>
>
> There is a web copy? Is that like a site with the discussion threads in it?
>
> What's the url?
>
<Michael...@mgic.com> wrote:
>
>
> There is a web copy? Is that like a site with the discussion threads in it?
>
> What's the url?
>
Michael Barrett
Mar 16, 2012, 4:36:06 PM3/16/12
to ossec...@googlegroups.com
Thanks
Works now!
____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael...@MGIC.com
This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * michael...@MGIC.com
This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.
| From: | "dan (ddp)" <ddp...@gmail.com> |
| To: | ossec...@googlegroups.com |
| Date: | 03/16/2012 03:01 PM |
| Subject: | Re: [ossec-list] Turn off rule? |
| Sent by: | ossec...@googlegroups.com |
Reply all
Reply to author
Forward
0 new messages