overwrite rules from Local_rules.xml does not work
964 views
Skip to first unread message
Khoshal A R.
Feb 2, 2015, 8:58:31 AM2/2/15
to ossec...@googlegroups.com
Hi,
Can you please help me in what I m doing wrong in modifying the severity of the rules that I m trying in local_rules.xml.
OS : Kali-Linux
OSSEC version : 2.8.1
Â
Please find the local_rules.xml file entries below for the overwrite:
Everything else works , but I need to change the severity of certain rules for the meaningful alerts and fine tune the frequency they are executed.
Appreciate your help.
Â
Â
Â
<rule id="100102" level="12" overwrite="yes">
   <if_sid>18104</if_sid>
   <id>^513$|^4609$</id>
   <description>Windows is shutting down.</description>
   <group>system_shutdown,</group>
 </rule>
 -->
Â
 <!--
<rule id="100103" level="13" overwrite="yes">
   <if_sid>18103</if_sid>
   <id>^13570$</id>
   <description>Windows file system full.</description>
   <group>low_diskspace,</group>
 </rule>
 -->
Â
 <!--
<rule id="100104" level="12" overwrite="yes">
<if_sid>18100,18103</if_sid>
<status>^ERROR</status>
<description>Windows error event.</description>
<group>system_error,</group>
</rule>
 -->
Â
 <!--
<rule id="100105" level="12" overwrite="yes">
 <if_sid>18100,18105</if_sid>
   <status>^AUDIT_FAILURE|^failure</status>
   <description>Windows audit failure event.</description>
 </rule>
 -->
Â
</group> <!-- SYSLOG,LOCAL -->
Â
Regards,
Khoshal AR
Sonata Software Limited
Â
Â
dan (ddp)
Feb 2, 2015, 9:01:25 AM2/2/15
to ossec...@googlegroups.com
On Mon, Feb 2, 2015 at 8:57 AM, Khoshal A R.
<khosh...@sonata-software.com> wrote:
> Hi,
>
> Can you please help me in what I m doing wrong in modifying the severity of
> the rules that I m trying in local_rules.xml.
>
> OS : Kali-Linux
>
> OSSEC version : 2.8.1
>
>
>
> Please find the local_rules.xml file entries below for the overwrite:
>
> Everything else works , but I need to change the severity of certain rules
> for the meaningful alerts and fine tune the frequency they are executed.
>
> Appreciate your help.
>
Are all of these rules commented out in the local_rules.xml file as well?
<khosh...@sonata-software.com> wrote:
> Hi,
>
> Can you please help me in what I m doing wrong in modifying the severity of
> the rules that I m trying in local_rules.xml.
>
> OS : Kali-Linux
>
> OSSEC version : 2.8.1
>
>
>
> Please find the local_rules.xml file entries below for the overwrite:
>
> Everything else works , but I need to change the severity of certain rules
> for the meaningful alerts and fine tune the frequency they are executed.
>
> Appreciate your help.
>
Did you restart the OSSEC processes after making the changes?
Do you have log samples that can be tested with ossec-logtest?
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Khoshal A R.
Feb 2, 2015, 9:26:22 AM2/2/15
to ossec...@googlegroups.com
Hi,
Thanx for quick response.
These entries are not commented in local_rules.xml, here is one sample rule I am trying to modify the severity,
<rule id="100111" level="13" overwrite="yes">
<if_sid>18105,18106,18116</if_sid>
<match>illegal user|invalid user</match>
<description>Attempt to login using a non-existent user</description>
<group>invalid_login,authentication_failed,</group>
</rule>
Also , I am restarting OSSEC after every little change in the config files.If I set the mail alert to less than 12 I get the alerts correctly but as there are too many events Im flooded with mails hence I'm trying to increase the severity of few events like the one above mentioned.
I'm also checking the /var/ossec/logs/alerts/alerts.log after I made the entry in local_rules.xml and restarted OSSEC, but alerts.log still gives the rule number in the msauth_rules.xml and not the rule number on local_rules.xml,
Please let me know if you need more info,
Regards,
Khoshal AR
Thanx for quick response.
These entries are not commented in local_rules.xml, here is one sample rule I am trying to modify the severity,
<rule id="100111" level="13" overwrite="yes">
<if_sid>18105,18106,18116</if_sid>
<match>illegal user|invalid user</match>
<description>Attempt to login using a non-existent user</description>
<group>invalid_login,authentication_failed,</group>
</rule>
Also , I am restarting OSSEC after every little change in the config files.If I set the mail alert to less than 12 I get the alerts correctly but as there are too many events Im flooded with mails hence I'm trying to increase the severity of few events like the one above mentioned.
I'm also checking the /var/ossec/logs/alerts/alerts.log after I made the entry in local_rules.xml and restarted OSSEC, but alerts.log still gives the rule number in the msauth_rules.xml and not the rule number on local_rules.xml,
Please let me know if you need more info,
Regards,
Khoshal AR
dan (ddp)
Feb 2, 2015, 9:33:16 AM2/2/15
to ossec...@googlegroups.com
On Mon, Feb 2, 2015 at 9:24 AM, Khoshal A R.
<khosh...@sonata-software.com> wrote:
> Hi,
Or, are you misunderstanding the overwrite option? You should use
overwrite when there is a rule in the *_rules.xml files that come with
OSSEC that you want to modify. If you are creating a new rule, you
should not be using the overwrite option.
For example, if you wanted to change the level of rule 18105, you could use:
<rule id="18105" level="12" overwrite="yes">
<if_sid>18100</if_sid>
addition of the overwrite option.
<khosh...@sonata-software.com> wrote:
> Hi,
> Thanx for quick response.
>
> These entries are not commented in local_rules.xml, here is one sample rule I am trying to modify the severity,
>
> <rule id="100111" level="13" overwrite="yes">
I don't have a 100111, can you provide your original rule with id 100111?
>
> These entries are not commented in local_rules.xml, here is one sample rule I am trying to modify the severity,
>
> <rule id="100111" level="13" overwrite="yes">
Or, are you misunderstanding the overwrite option? You should use
overwrite when there is a rule in the *_rules.xml files that come with
OSSEC that you want to modify. If you are creating a new rule, you
should not be using the overwrite option.
For example, if you wanted to change the level of rule 18105, you could use:
<rule id="18105" level="12" overwrite="yes">
<if_sid>18100</if_sid>
<status>^AUDIT_FAILURE|^failure</status>
<description>Windows audit failure event.</description>
</rule>
Notice how the "rule id" does not change, only the level and the
<description>Windows audit failure event.</description>
</rule>
addition of the overwrite option.
Khoshal A R.
Feb 2, 2015, 10:00:46 AM2/2/15
to ossec...@googlegroups.com
Hi,
I tried without changing the rule_id , but somewhere in the on the online docs I got this idea to use the new rule ID, however now as you mentioned I ve reverted back and to narrow the issue I m pasting the config entry in local_rules.xml and the corresponding output from /var/ossec/logs/alerts/alerts.log
This is the entry in local_rules.xml:
<rule id="18106" level="13" overwrite="yes">
<if_sid>18105</if_sid>
<id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id>
<description>Windows Logon Failure.</description>
<group>win_authentication_failed,</group>
</rule>
Then I tried with the invalid password to one of our windows agent and here is the output from alerts.log
** Alert 1422888616.112065949: - windows,win_authentication_failed,
2015 Feb 02 14:50:16 (RZP_NA_PROD_RDP01) 10.0.0.6->WinEvtLog
Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.'
User: (no user)
2015 Feb 02 09:50:05 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: RZPPROD-RDP01: An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: khoshalk Account Domain: RZPPROD-RDP01 Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: BG1NB189 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted.
Email alert level is set to 12 in ossec.conf and I ve restarted OSSEC after I added to the local_rules.xml.
Can you please figure out where exactly Im going wrong with this,
I tried without changing the rule_id , but somewhere in the on the online docs I got this idea to use the new rule ID, however now as you mentioned I ve reverted back and to narrow the issue I m pasting the config entry in local_rules.xml and the corresponding output from /var/ossec/logs/alerts/alerts.log
This is the entry in local_rules.xml:
<rule id="18106" level="13" overwrite="yes">
<if_sid>18105</if_sid>
<id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id>
<description>Windows Logon Failure.</description>
<group>win_authentication_failed,</group>
</rule>
Then I tried with the invalid password to one of our windows agent and here is the output from alerts.log
** Alert 1422888616.112065949: - windows,win_authentication_failed,
2015 Feb 02 14:50:16 (RZP_NA_PROD_RDP01) 10.0.0.6->WinEvtLog
Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.'
User: (no user)
2015 Feb 02 09:50:05 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: RZPPROD-RDP01: An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: khoshalk Account Domain: RZPPROD-RDP01 Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: BG1NB189 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted.
Email alert level is set to 12 in ossec.conf and I ve restarted OSSEC after I added to the local_rules.xml.
Can you please figure out where exactly Im going wrong with this,
dan (ddp)
Feb 2, 2015, 10:05:49 AM2/2/15
to ossec...@googlegroups.com
On Mon, Feb 2, 2015 at 9:59 AM, Khoshal A R.
<khosh...@sonata-software.com> wrote:
> Hi,
>
let me know and I'll try to make it more clear.
> This is the entry in local_rules.xml:
>
> <rule id="18106" level="13" overwrite="yes">
> <if_sid>18105</if_sid>
> <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id>
> <description>Windows Logon Failure.</description>
> <group>win_authentication_failed,</group>
> </rule>
>
> Then I tried with the invalid password to one of our windows agent and here is the output from alerts.log
>
> ** Alert 1422888616.112065949: - windows,win_authentication_failed,
> 2015 Feb 02 14:50:16 (RZP_NA_PROD_RDP01) 10.0.0.6->WinEvtLog
> Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.'
The rule you modified is 18106, this log message triggers 18138. I
don't see anything in 18138 that would be affected by the change in
18106. I'm not very confused as to what you're trying to do, because
this doesn't really make much sense.
<khosh...@sonata-software.com> wrote:
> Hi,
>
> I tried without changing the rule_id , but somewhere in the on the online docs I got this idea to use the new rule ID, however now as you mentioned I ve reverted back and to narrow the issue I m pasting the config entry in local_rules.xml and the corresponding output from /var/ossec/logs/alerts/alerts.log
>
If you figure out what part of the documentation gave you that idea,
>
let me know and I'll try to make it more clear.
> This is the entry in local_rules.xml:
>
> <rule id="18106" level="13" overwrite="yes">
> <if_sid>18105</if_sid>
> <id>^529$|^530$|^531$|^532$|^533$|^534$|^535$|^536$|^537$|^539$|^4625$</id>
> <description>Windows Logon Failure.</description>
> <group>win_authentication_failed,</group>
> </rule>
>
> Then I tried with the invalid password to one of our windows agent and here is the output from alerts.log
>
> ** Alert 1422888616.112065949: - windows,win_authentication_failed,
> 2015 Feb 02 14:50:16 (RZP_NA_PROD_RDP01) 10.0.0.6->WinEvtLog
> Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.'
don't see anything in 18138 that would be affected by the change in
18106. I'm not very confused as to what you're trying to do, because
this doesn't really make much sense.
Khoshal A R.
Feb 2, 2015, 10:16:00 AM2/2/15
to ossec...@googlegroups.com
Hi,
No Please, I meant I ended up goin to some blog online and I tried that solution, not on the OSSEC documentation, definitely not.
Can you please help on noticing where I'm going wrong on the below configuration.
No Please, I meant I ended up goin to some blog online and I tried that solution, not on the OSSEC documentation, definitely not.
Can you please help on noticing where I'm going wrong on the below configuration.
dan (ddp)
Feb 2, 2015, 10:17:04 AM2/2/15
to ossec...@googlegroups.com
On Mon, Feb 2, 2015 at 10:12 AM, Khoshal A R.
<khosh...@sonata-software.com> wrote:
> Hi,
>
rule that's being triggered, if that's your final goal.
<khosh...@sonata-software.com> wrote:
> Hi,
>
> No Please, I meant I ended up goin to some blog online and I tried that solution, not on the OSSEC documentation, definitely not.
>
> Can you please help on noticing where I'm going wrong on the below configuration.
>
Besides that I already pointed out? Try changing the level for the
>
> Can you please help on noticing where I'm going wrong on the below configuration.
>
rule that's being triggered, if that's your final goal.
dan (ddp)
Feb 2, 2015, 10:24:40 AM2/2/15
to ossec...@googlegroups.com
On Mon, Feb 2, 2015 at 10:16 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Mon, Feb 2, 2015 at 10:12 AM, Khoshal A R.
> <khosh...@sonata-software.com> wrote:
>> Hi,
>>
>> No Please, I meant I ended up goin to some blog online and I tried that solution, not on the OSSEC documentation, definitely not.
>>
>> Can you please help on noticing where I'm going wrong on the below configuration.
>>
>
>
> Besides that I already pointed out? Try changing the level for the
> rule that's being triggered, if that's your final goal.
>
If you're trying to modify the level of the alert that you posted, try this:
> On Mon, Feb 2, 2015 at 10:12 AM, Khoshal A R.
> <khosh...@sonata-software.com> wrote:
>> Hi,
>>
>> No Please, I meant I ended up goin to some blog online and I tried that solution, not on the OSSEC documentation, definitely not.
>>
>> Can you please help on noticing where I'm going wrong on the below configuration.
>>
>
>
> Besides that I already pointed out? Try changing the level for the
> rule that's being triggered, if that's your final goal.
>
<rule id="18138" level="12" overwrite="yes">
<if_sid>18106</if_sid>
<id>^539$|^4625$</id>
<description>Logon Failure - Account locked out.</description>
Khoshal A R.
Feb 2, 2015, 10:35:46 AM2/2/15
to ossec...@googlegroups.com
Hi,
I appreciate your patience on this and thank you, I changed the level on msauth_rules.xml and the alerts are working fine , but I have one issue here, which is If I set the frequency and timeframe on the same file for the rule ,and OSSEC fails to start. All Im trying to do is change both frequency and level of a rule and get the OSSEC started.
Below is the Change I made in msauth_rules.xml which makes OSSEC fail to start:
<rule id="18105" level="12" frequency="3" timeframe="120" >
<rule id="18105" level="12">
I appreciate your patience on this and thank you, I changed the level on msauth_rules.xml and the alerts are working fine , but I have one issue here, which is If I set the frequency and timeframe on the same file for the rule ,and OSSEC fails to start. All Im trying to do is change both frequency and level of a rule and get the OSSEC started.
Below is the Change I made in msauth_rules.xml which makes OSSEC fail to start:
<rule id="18105" level="12" frequency="3" timeframe="120" >
<if_sid>18100</if_sid>
<status>^AUDIT_FAILURE|^failure</status>
<description>Windows audit failure event.</description>
</rule>
However If I remove : frequency="3" timeframe="120" and enter the below it works fine:
<status>^AUDIT_FAILURE|^failure</status>
<description>Windows audit failure event.</description>
</rule>
<rule id="18105" level="12">
<if_sid>18100</if_sid>
<status>^AUDIT_FAILURE|^failure</status>
<description>Windows audit failure event.</description>
</rule>
<status>^AUDIT_FAILURE|^failure</status>
<description>Windows audit failure event.</description>
</rule>
dan (ddp)
Feb 2, 2015, 10:48:47 AM2/2/15
to ossec...@googlegroups.com
On Mon, Feb 2, 2015 at 10:32 AM, Khoshal A R.
<khosh...@sonata-software.com> wrote:
> Hi,
will be overwritten during an upgrade.
> Below is the Change I made in msauth_rules.xml which makes OSSEC fail to start:
>
> <rule id="18105" level="12" frequency="3" timeframe="120" >
> <if_sid>18100</if_sid>
> <status>^AUDIT_FAILURE|^failure</status>
> <description>Windows audit failure event.</description>
> </rule>
>
You want <if_matched> instead of <if_sid>. Running `ossec-logtest -t`
should provide you with the errors you're getting, or you can look in
the ossec.log.
<khosh...@sonata-software.com> wrote:
> Hi,
> I appreciate your patience on this and thank you, I changed the level on msauth_rules.xml and the alerts are working fine , but I have one issue here, which is If I set the frequency and timeframe on the same file for the rule ,and OSSEC fails to start. All Im trying to do is change both frequency and level of a rule and get the OSSEC started.
>
Making changes in msauth_rules.xml is a bad idea. The changes you make
>
will be overwritten during an upgrade.
> Below is the Change I made in msauth_rules.xml which makes OSSEC fail to start:
>
> <rule id="18105" level="12" frequency="3" timeframe="120" >
> <if_sid>18100</if_sid>
> <status>^AUDIT_FAILURE|^failure</status>
> <description>Windows audit failure event.</description>
> </rule>
>
should provide you with the errors you're getting, or you can look in
the ossec.log.
dan (ddp)
Feb 2, 2015, 10:48:47 AM2/2/15
to ossec...@googlegroups.com
On Mon, Feb 2, 2015 at 10:47 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Mon, Feb 2, 2015 at 10:32 AM, Khoshal A R.
> <khosh...@sonata-software.com> wrote:
>> Hi,
>> I appreciate your patience on this and thank you, I changed the level on msauth_rules.xml and the alerts are working fine , but I have one issue here, which is If I set the frequency and timeframe on the same file for the rule ,and OSSEC fails to start. All Im trying to do is change both frequency and level of a rule and get the OSSEC started.
>>
>
> Making changes in msauth_rules.xml is a bad idea. The changes you make
> will be overwritten during an upgrade.
>
>> Below is the Change I made in msauth_rules.xml which makes OSSEC fail to start:
>>
>> <rule id="18105" level="12" frequency="3" timeframe="120" >
>> <if_sid>18100</if_sid>
>> <status>^AUDIT_FAILURE|^failure</status>
>> <description>Windows audit failure event.</description>
>> </rule>
>>
>
> You want <if_matched> instead of <if_sid>. Running `ossec-logtest -t`
> should provide you with the errors you're getting, or you can look in
> the ossec.log.
>
OOPS, that should be if_matched_sid.
> On Mon, Feb 2, 2015 at 10:32 AM, Khoshal A R.
> <khosh...@sonata-software.com> wrote:
>> Hi,
>> I appreciate your patience on this and thank you, I changed the level on msauth_rules.xml and the alerts are working fine , but I have one issue here, which is If I set the frequency and timeframe on the same file for the rule ,and OSSEC fails to start. All Im trying to do is change both frequency and level of a rule and get the OSSEC started.
>>
>
> Making changes in msauth_rules.xml is a bad idea. The changes you make
> will be overwritten during an upgrade.
>
>> Below is the Change I made in msauth_rules.xml which makes OSSEC fail to start:
>>
>> <rule id="18105" level="12" frequency="3" timeframe="120" >
>> <if_sid>18100</if_sid>
>> <status>^AUDIT_FAILURE|^failure</status>
>> <description>Windows audit failure event.</description>
>> </rule>
>>
>
> You want <if_matched> instead of <if_sid>. Running `ossec-logtest -t`
> should provide you with the errors you're getting, or you can look in
> the ossec.log.
>
Reply all
Reply to author
Forward
0 new messages