logtest works, but ossec restarted does not?

[Janelle]

Hello,

I was wondering if anyone has any idea how -- when passing a log entry through ossec-logtest the correct rule fires. However, a restart of ossec never catches the rule. Even a subsequent logtest run shows the correct rule still fires, but not "live"?

Any ideas on what to look for? 

thanks

~J

[dan (ddp)]

Make sure the log message looks the same to OSSEC as the log message
you are testing with. You can turn the log all option on in the OSSEC
server (this does add a header to the log entry in archives.log, but
that's easy to strip).

> thanks
> ~J
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[Janelle]

Verified from archives.log -- (it was already enabled) and it still fires with ossec-logtest, but not when running LIVE. This is so strange.

Here is the generic info:

**Phase 1: Completed pre-decoding.

       full event: '2013-11-22T16:11:03.284334+00:00 server_name_in_cdb  sshd[25855]: Accepted password for dummy_user from 1.2.3.4 port 36303 ssh2'

       hostname: ‘server_name_in_cdb’

       program_name: 'sshd'

       log: 'Accepted password for dummy_user from 1.2.3.4 port 36303 ssh2'

**Phase 2: Completed decoding.

       decoder: 'sshd'

       dstuser: 'dummy_user'

       srcip: '1.2.3.4'

**Phase 3: Completed filtering (rules).

       Rule id: '111717'

       Level: '13'

       Description: 'DMZ System - SSHD password success.'

**Alert to be generated.

and the rule: (in local_rules.xml)

  <rule id="111717" level=“13”>

    <if_sid>5700</if_sid>

    <list field="hostname" lookup="match_key">lists/dmz</list>

    <match>^Accepted password|authenticated.$</match>

    <description>DMZ System - SSHD password success.</description>

    <group>authentication_success,</group>

  </rule>

But in production (same server obviously), the rule that keeps firing is the regular 5715 (in sshd_rules.xml) — 

  <rule id="5715" level="3">

    <if_sid>5700</if_sid>

    <match>^Accepted|authenticated.$</match>

    <description>SSHD authentication success.</description>

    <group>authentication_success,</group>

  </rule>

Any other suggestions?

[dan (ddp)]

On Thu, Dec 19, 2013 at 11:25 AM, Janelle <janelle...@gmail.com> wrote:
> Verified from archives.log -- (it was already enabled) and it still fires
> with ossec-logtest, but not when running LIVE. This is so strange.
>
> Here is the generic info:
>
> **Phase 1: Completed pre-decoding.
>
> full event: '2013-11-22T16:11:03.284334+00:00 server_name_in_cdb
> sshd[25855]: Accepted password for dummy_user from 1.2.3.4 port 36303 ssh2'
>
> hostname: ‘server_name_in_cdb’
>
> program_name: 'sshd'
>
> log: 'Accepted password for dummy_user from 1.2.3.4 port 36303 ssh2'
>
>
> **Phase 2: Completed decoding.
>
> decoder: 'sshd'
>
> dstuser: 'dummy_user'
>
> srcip: '1.2.3.4'
>
>
> **Phase 3: Completed filtering (rules).
>
> Rule id: '111717'
>
> Level: '13'
>
> Description: 'DMZ System - SSHD password success.'
>
> **Alert to be generated.
>
>
>
> and the rule: (in local_rules.xml)
>
>
> <rule id="111717" level=“13”>
>
> <if_sid>5700</if_sid>
>

Does it work if you change the if_sid to 5715?

[Janelle]

Nope.  :-(

[Janelle]

It looks like it is related to HYBRID mode. It works correctly on a SERVER, but not a server running in HYBRID mode!!

On Thursday, December 19, 2013 2:10:17 PM UTC-8, Janelle wrote:

Nope.  :-(

[Janelle]

I misspoke - nothing to do with hybrid. Ignore that.

[Jeremy Rossi]

https://github.com/ossec/ossec-hids/issues/147 To track this issue.  I am not able to reproduce it at this time, but I will be using this to test some more.  Please follow the github issue if you want to follow along with up dates.