Disable all rules for ossec server
316 views
Skip to first unread message
Huc Manté Miras
Apr 25, 2017, 11:25:57 AM4/25/17
to ossec-list
Hello,
I try to disable all rules to ossec server.
This is possible?
Thanks!!
I try to disable all rules to ossec server.
This is possible?
Thanks!!
dan (ddp)
Apr 25, 2017, 11:41:56 AM4/25/17
to ossec...@googlegroups.com
On Apr 25, 2017 11:25 AM, "Huc Manté Miras" <hucm...@gmail.com> wrote:
Hello,
I try to disable all rules to ossec server.
This is possible?
Have you tried removing the rules from the server's ossec.conf?
--
Thanks!!
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Huc Manté Miras
Apr 26, 2017, 5:42:22 AM4/26/17
to ossec-list
I try to remove all includes but not work :(
El martes, 25 de abril de 2017, 17:41:56 (UTC+2), dan (ddpbsd) escribió:
On Apr 25, 2017 11:25 AM, "Huc Manté Miras" <hucm...@gmail.com> wrote:Hello,
I try to disable all rules to ossec server.
This is possible?Have you tried removing the rules from the server's ossec.conf?
Thanks!!
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
Jesus Linares
Apr 26, 2017, 5:48:16 AM4/26/17
to ossec-list
I don't know if it is possible, but why do you want to do it?.
Nikki S
Apr 26, 2017, 10:26:02 AM4/26/17
to ossec-list
Yes, you can disable all rules via OSSEC.conf. From the testing I did, the only rules that have to always remain enabled are OSSEC.rules, rules_config and local rules
dan (ddp)
Apr 26, 2017, 3:01:24 PM4/26/17
to ossec...@googlegroups.com
On Wed, Apr 26, 2017 at 5:42 AM, Huc Manté Miras <hucm...@gmail.com> wrote:
> I try to remove all includes but not work :(
>
You provided me with no information to help correct the issue.
> I try to remove all includes but not work :(
>
Huc Manté Miras
May 2, 2017, 4:23:19 AM5/2/17
to ossec-list
Hello,
Thanks for the reply, but I can not get it to work.
I made changes to the file as you indicate and I tried to restart ossec but it failed.
root@OSSEC-SERVER-UBUNTU:/var/ossec/etc# cat ossec.conf | grep rules
<rules>
<include>rules_config.xml</include>
<include>ossec_rules.xml</include>
<include>local_rules.xml</include>
</rules>
root@OSSEC-SERVER-UBUNTU:/var/ossec/etc# ../bin/ossec-control restart
ossec-monitord not running ..
ossec-logcollector not running ..
ossec-remoted not running ..
ossec-syscheckd not running ..
ossec-analysisd not running ..
ossec-maild not running ..
ossec-execd not running ..
ossec-dbd not running ..
OSSEC HIDS v2.8.3 Stopped
Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)...
OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
root@OSSEC-SERVER-UBUNTU:/var/ossec/etc#
Thanks for the reply, but I can not get it to work.
I made changes to the file as you indicate and I tried to restart ossec but it failed.
root@OSSEC-SERVER-UBUNTU:/var/ossec/etc# cat ossec.conf | grep rules
<rules>
<include>rules_config.xml</include>
<include>ossec_rules.xml</include>
<include>local_rules.xml</include>
</rules>
root@OSSEC-SERVER-UBUNTU:/var/ossec/etc# ../bin/ossec-control restart
ossec-monitord not running ..
ossec-logcollector not running ..
ossec-remoted not running ..
ossec-syscheckd not running ..
ossec-analysisd not running ..
ossec-maild not running ..
ossec-execd not running ..
ossec-dbd not running ..
OSSEC HIDS v2.8.3 Stopped
Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)...
OSSEC analysisd: Testing rules failed. Configuration error. Exiting.
root@OSSEC-SERVER-UBUNTU:/var/ossec/etc#
Huc Manté Miras
May 2, 2017, 4:24:23 AM5/2/17
to ossec-list
Sorry man in the my last comment, i send the information.
Huc Manté Miras
May 2, 2017, 4:37:15 AM5/2/17
to ossec-list
Only its needed to include two rule files:
<rules>
<include>rules_config.xml</include>
<include>ossec_rules.xml</include>
</rules>
dan (ddp)
May 3, 2017, 4:50:10 PM5/3/17
to ossec...@googlegroups.com
On Tue, May 2, 2017 at 4:37 AM, Huc Manté Miras <hucm...@gmail.com> wrote:
> Only its needed to include two rule files:
>
>
> <rules>
> <include>rules_config.xml</include>
> <include>ossec_rules.xml</include>
> </rules>
>
Using just those 2 files allows OSSEC to start for me.
> Only its needed to include two rule files:
>
>
> <rules>
> <include>rules_config.xml</include>
> <include>ossec_rules.xml</include>
> </rules>
>
You can check the ossec.log for more information on why it failed. I'm
guessing something in local_rules.xml that relied on a rule that was
removed.
Huc Manté Miras
May 10, 2017, 6:23:59 AM5/10/17
to ossec-list
Hi dan,
It's work,
Only include two files:
It's work,
Only include two files:
<rules>
<include>rules_config.xml</include>
<include>ossec_rules.xml</include>
</rules>
And change config to rules_config.xml to:
<!-- @(#) $Id: ./etc/rules/rules_config.xml, 2011/09/08 dcid Exp $
- Rules config.
- Configuration options. This file must always be included, otherwise
- most of the rules will not work properly.
-
- Copyright (C) 2009 Trend Micro Inc.
- All rights reserved.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
-->
<group name="syslog">
<rule id="01" level="0" noalert="1">
<category>syslog</category>
<description>Generic template for all syslog rules.</description>
</rule>
</group>
<group name="ids">
<rule id="03" level="0" noalert="1">
<category>ids</category>
<description>Generic template for all ids rules.</description>
</rule>
</group>
<group name="windows">
<rule id="06" level="0" noalert="1">
<category>windows</category>
<description>Generic template for all windows rules.</description>
</rule>
</group>
<group name="ossec">
<rule id="07" level="0" noalert="1">
<category>ossec</category>
<description>Generic template for all ossec rules.</description>
</rule>
</group>
<!-- EOF -->
Restart ossec
Thanks for help!
<!-- @(#) $Id: ./etc/rules/rules_config.xml, 2011/09/08 dcid Exp $
- Rules config.
- Configuration options. This file must always be included, otherwise
- most of the rules will not work properly.
-
- Copyright (C) 2009 Trend Micro Inc.
- All rights reserved.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
-->
<group name="syslog">
<rule id="01" level="0" noalert="1">
<category>syslog</category>
<description>Generic template for all syslog rules.</description>
</rule>
</group>
<group name="ids">
<rule id="03" level="0" noalert="1">
<category>ids</category>
<description>Generic template for all ids rules.</description>
</rule>
</group>
<group name="windows">
<rule id="06" level="0" noalert="1">
<category>windows</category>
<description>Generic template for all windows rules.</description>
</rule>
</group>
<group name="ossec">
<rule id="07" level="0" noalert="1">
<category>ossec</category>
<description>Generic template for all ossec rules.</description>
</rule>
</group>
<!-- EOF -->
Restart ossec
Thanks for help!
Reply all
Reply to author
Forward
0 new messages