Custom Rule overrides not triggering
71 views
Skip to first unread message
treydock
Jun 23, 2011, 2:08:49 PM6/23/11
to ossec-list
In an attempt to get email notifications to work with the newly built-
in active-response notification rules, I'm trying to override the
built in rules with ones in local_rules.xml that have the addition of
"<options>alert_by_email</options>". So far using ossec-logtest I'm
unable to get the custom rules to fire. Using OSSEC-2.6.0-Beta in
Linux
All the rules are identical to those built-in except I changed the
rule number to be greater than 100000 and added the "options" line.
(see below for full copy/paste).
Here's the process I'm going through,
# bin/ossec-control enable debug
# bin/ossec-control restart
2011/06/23 12:59:41 adding rule: local_rules.xml
....
# bin/ossec-logtest -d
...no errors...
2011/06/23 13:01:34 1 : rule:100000, level 0, timeout: 0
2011/06/23 13:01:34 2 : rule:100001, level 3, timeout: 0
2011/06/23 13:01:34 2 : rule:100002, level 3, timeout: 0
2011/06/23 13:01:34 2 : rule:100003, level 3, timeout: 0
2011/06/23 13:01:34 2 : rule:100004, level 3, timeout: 0
2011/06/23 13:01:34 2 : rule:100005, level 3, timeout: 0
2011/06/23 13:01:34 2 : rule:100006, level 3, timeout: 0
...
ossec-testrule: Type one log per line.
Thu Jun 23 05:08:10 CDT 2011 /var/ossec/active-response/bin/firewall-
drop.sh delete - 212.113.37.105 1308823060.107076 31151
**Phase 1: Completed pre-decoding.
full event: 'Thu Jun 23 05:08:10 CDT 2011 /var/ossec/active-
response/bin/firewall-drop.sh delete - 212.113.37.105
1308823060.107076 31151'
hostname: 'ossecserver'
program_name: '(null)'
log: 'Thu Jun 23 05:08:10 CDT 2011 /var/ossec/active-response/
bin/firewall-drop.sh delete - 212.113.37.105 1308823060.107076 31151'
**Phase 2: Completed decoding.
decoder: 'ar_log'
action: 'firewall-drop.sh'
status: 'delete'
srcip: '212.113.37.105'
id: '1308823060.107076'
extra_data: '31151'
**Phase 3: Completed filtering (rules).
Rule id: '602'
Level: '3'
Description: 'Host Unblocked by firewall-drop.sh Active
Response'
**Alert to be generated.
------------------
I tested all 6 rules and all 6 are not being overridden. Does OSSEC
load rules 600-606 before the local_rules.xml and thus it's not
possible to override? I've tried changing "<if_sid>" to 600, and also
removing rule 100000, then adding "decoded_as" to each of the rules
and removing "if_sid", but still the same result.
Here's the my entire local_rules.xml
<group name="local,syslog,">
<rule id="100000" level="0">
<decoded_as>ar_log</decoded_as>
<description>Active Response Messages Grouped</description>
<group>active_response,</group>
</rule>
<rule id="100001" level="3">
<if_sid>100000</if_sid>
<options>alert_by_email</options>
<action>firewall-drop.sh</action>
<status>add</status>
<description>Host Blocked by firewall-drop.sh Active Response</
description>
<group>active_response,</group>
</rule>
<rule id="100002" level="3">
<if_sid>100000</if_sid>
<options>alert_by_email</options>
<action>firewall-drop.sh</action>
<status>delete</status>
<description>Host Unblocked by firewall-drop.sh Active Response</
description>
<group>active_response,</group>
</rule>
<rule id="100003" level="3">
<if_sid>100000</if_sid>
<options>alert_by_email</options>
<action>host-deny.sh</action>
<status>add</status>
<description>Host Blocked by host-deny.sh Active Response</
description>
<group>active_response,</group>
</rule>
<rule id="100004" level="3">
<if_sid>100000</if_sid>
<options>alert_by_email</options>
<action>host-deny.sh</action>
<status>delete</status>
<description>Host Unblocked by host-deny.sh Active Response</
description>
<group>active_response,</group>
</rule>
<rule id="100005" level="3">
<if_sid>100000</if_sid>
<options>alert_by_email</options>
<action>route-null.sh</action>
<status>add</status>
<description>Host Blocked by route-null.sh Active Response</
description>
<group>active_response,</group>
</rule>
<rule id="100006" level="3">
<if_sid>100000</if_sid>
<options>alert_by_email</options>
<action>route-null.sh</action>
<status>delete</status>
<description>Host Unblocked by route-null.sh Active Response</
description>
<group>active_response,</group>
</rule>
</group>
Thanks
- Trey
in active-response notification rules, I'm trying to override the
built in rules with ones in local_rules.xml that have the addition of
"<options>alert_by_email</options>". So far using ossec-logtest I'm
unable to get the custom rules to fire. Using OSSEC-2.6.0-Beta in
Linux
All the rules are identical to those built-in except I changed the
rule number to be greater than 100000 and added the "options" line.
(see below for full copy/paste).
Here's the process I'm going through,
# bin/ossec-control enable debug
# bin/ossec-control restart
2011/06/23 12:59:41 adding rule: local_rules.xml
....
# bin/ossec-logtest -d
...no errors...
2011/06/23 13:01:34 1 : rule:100000, level 0, timeout: 0
2011/06/23 13:01:34 2 : rule:100001, level 3, timeout: 0
2011/06/23 13:01:34 2 : rule:100002, level 3, timeout: 0
2011/06/23 13:01:34 2 : rule:100003, level 3, timeout: 0
2011/06/23 13:01:34 2 : rule:100004, level 3, timeout: 0
2011/06/23 13:01:34 2 : rule:100005, level 3, timeout: 0
2011/06/23 13:01:34 2 : rule:100006, level 3, timeout: 0
...
ossec-testrule: Type one log per line.
Thu Jun 23 05:08:10 CDT 2011 /var/ossec/active-response/bin/firewall-
drop.sh delete - 212.113.37.105 1308823060.107076 31151
**Phase 1: Completed pre-decoding.
full event: 'Thu Jun 23 05:08:10 CDT 2011 /var/ossec/active-
response/bin/firewall-drop.sh delete - 212.113.37.105
1308823060.107076 31151'
hostname: 'ossecserver'
program_name: '(null)'
log: 'Thu Jun 23 05:08:10 CDT 2011 /var/ossec/active-response/
bin/firewall-drop.sh delete - 212.113.37.105 1308823060.107076 31151'
**Phase 2: Completed decoding.
decoder: 'ar_log'
action: 'firewall-drop.sh'
status: 'delete'
srcip: '212.113.37.105'
id: '1308823060.107076'
extra_data: '31151'
**Phase 3: Completed filtering (rules).
Rule id: '602'
Level: '3'
Description: 'Host Unblocked by firewall-drop.sh Active
Response'
**Alert to be generated.
------------------
I tested all 6 rules and all 6 are not being overridden. Does OSSEC
load rules 600-606 before the local_rules.xml and thus it's not
possible to override? I've tried changing "<if_sid>" to 600, and also
removing rule 100000, then adding "decoded_as" to each of the rules
and removing "if_sid", but still the same result.
Here's the my entire local_rules.xml
<group name="local,syslog,">
<rule id="100000" level="0">
<decoded_as>ar_log</decoded_as>
<description>Active Response Messages Grouped</description>
<group>active_response,</group>
</rule>
<rule id="100001" level="3">
<if_sid>100000</if_sid>
<options>alert_by_email</options>
<action>firewall-drop.sh</action>
<status>add</status>
<description>Host Blocked by firewall-drop.sh Active Response</
description>
<group>active_response,</group>
</rule>
<rule id="100002" level="3">
<if_sid>100000</if_sid>
<options>alert_by_email</options>
<action>firewall-drop.sh</action>
<status>delete</status>
<description>Host Unblocked by firewall-drop.sh Active Response</
description>
<group>active_response,</group>
</rule>
<rule id="100003" level="3">
<if_sid>100000</if_sid>
<options>alert_by_email</options>
<action>host-deny.sh</action>
<status>add</status>
<description>Host Blocked by host-deny.sh Active Response</
description>
<group>active_response,</group>
</rule>
<rule id="100004" level="3">
<if_sid>100000</if_sid>
<options>alert_by_email</options>
<action>host-deny.sh</action>
<status>delete</status>
<description>Host Unblocked by host-deny.sh Active Response</
description>
<group>active_response,</group>
</rule>
<rule id="100005" level="3">
<if_sid>100000</if_sid>
<options>alert_by_email</options>
<action>route-null.sh</action>
<status>add</status>
<description>Host Blocked by route-null.sh Active Response</
description>
<group>active_response,</group>
</rule>
<rule id="100006" level="3">
<if_sid>100000</if_sid>
<options>alert_by_email</options>
<action>route-null.sh</action>
<status>delete</status>
<description>Host Unblocked by route-null.sh Active Response</
description>
<group>active_response,</group>
</rule>
</group>
Thanks
- Trey
treydock
Jun 27, 2011, 10:39:11 PM6/27/11
to ossec-list
I have successfully tested my local rules by commenting out rules
600-606. Is there something in OSSEC that does not allow certain
rules to be overridden? I don't know if this is something new as of
2.6-Beta. Any insight would be appreciated.
Thanks
- Trey
600-606. Is there something in OSSEC that does not allow certain
rules to be overridden? I don't know if this is something new as of
2.6-Beta. Any insight would be appreciated.
Thanks
- Trey
Michael Starks
Jun 27, 2011, 11:24:49 PM6/27/11
to ossec...@googlegroups.com
On 06/27/2011 09:39 PM, treydock wrote:
> I have successfully tested my local rules by commenting out rules
> 600-606. Is there something in OSSEC that does not allow certain
> rules to be overridden? I don't know if this is something new as of
> 2.6-Beta. Any insight would be appreciated.
>
> Thanks
> - Trey
> I have successfully tested my local rules by commenting out rules
> 600-606. Is there something in OSSEC that does not allow certain
> rules to be overridden? I don't know if this is something new as of
> 2.6-Beta. Any insight would be appreciated.
>
> Thanks
> - Trey
I am not sure if you are already doing this, but to overwrite rules, you
need to copy the rule to local_rules.xml, keep the same rule ID and add
the overwrite="yes" option, along with the other changes you want. For
example:
<rule id="606" level="3" overwrite="yes">
<if_sid>600</if_sid>
<action>route-null.sh</action>
<status>delete</status>
<description>Host Unblocked by route-null.sh Active
response</description>
<options>alert_by_email</options>
<group>active_response,</group>
</rule>
treydock
Jun 28, 2011, 10:16:04 PM6/28/11
to ossec-list
Ah the first part (local_rules.xml) I have but the two key portions I
was missing were leaving the rule ids the same as the built in rules
and also adding the "overwrite" option.
Thanks!
- Trey
On Jun 27, 10:24 pm, Michael Starks <ossec-l...@michaelstarks.com>
wrote:
was missing were leaving the rule ids the same as the built in rules
and also adding the "overwrite" option.
Thanks!
- Trey
On Jun 27, 10:24 pm, Michael Starks <ossec-l...@michaelstarks.com>
wrote:
Reply all
Reply to author
Forward
0 new messages