I tried the rule change below and got an error when I tried to start ossec.
-bash-3.2# /etc/init.d/ossec-hids start
Starting ossec-hids: 2012/03/16 09:37:46 ossec-testrule: INFO: Reading local dec oder file.
2012/03/16 09:37:46 rules_op: Invalid root element "rule".Only "group" is allowe d
2012/03/16 09:37:46 ossec-testrule(1220): ERROR: Error loading the rules: 'local _rules.xml'.
2012/03/16 09:37:46 ossec-maild: INFO: E-Mail notification disabled. Clean Exit.
2012/03/16 09:37:46 ossec-logcollector(1905): INFO: No file configured to monito r.
2012/03/16 09:37:49 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/queue/ossec/ queue' not accessible: 'Connection refused'.
2012/03/16 09:37:49 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/queue/ossec/ queue' not accessible: 'Connection refused'.
Then I tried the example from the book to disable the rule altogether and got the same error
Here is the file, can someone tell me what I did wrong please?
-bash-3.2# cat local_rules.xml.filter
<!-- @(#) $Id$
- Example of local rules for OSSEC.
-
- Copyright (C) 2009 Trend Micro Inc.
- All rights reserved.
-
- This program is a free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public
- License (version 2) as published by the FSF - Free Software
- Foundation.
-
- License details: http://www.ossec.net/en/licensing.html
-->
<rule id="101013" level="0">
<if_sid>18154</if_sid>
<description>turn down the noise on this event</description>
</rule>
<!-- Modify it at your will. -->
<group name="local,syslog,">
<!-- Note that rule id 5711 is defined at the ssh_rules file
- as a ssh failed login. This is just an example
- since ip 1.1.1.1 shouldn't be used anywhere.
- Level 0 means ignore.
-->
<rule id="100001" level="0">
<if_sid>5711</if_sid>
<srcip>1.1.1.1</srcip>
<description>Example of rule that will ignore sshd </description>
<description>failed logins from IP 1.1.1.1.</description>
</rule>
<!-- This example will ignore ssh failed logins for the user name XYZABC.
-->
<!--
<rule id="100020" level="0">
<if_sid>5711</if_sid>
<user>XYZABC</user>
<description>Example of rule that will ignore sshd </description>
<description>failed logins for user XYZABC.</description>
</rule>
-->
<!-- Specify here a list of rules to ignore. -->
<!--
<rule id="100030" level="0">
<if_sid>12345, 23456, xyz, abc</if_sid>
<description>List of rules to be ignored.</description>
</rule>
-->
<rule id="101013" level="7" frequency="4" timeframe="1600">
<if_matched_sid>18154</if_matched_sid>
<match>WinEvtLog: System: ERROR(10009): DCOM:</match>
<description>turn down the noise on this event</description>
</rule>
</group> <!-- SYSLOG,LOCAL -->
<!-- EOF -->
____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * [email protected]
This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.
| From: | Thomas Bartos <[email protected]> |
| To: | [email protected] |
| Date: | 03/15/2012 11:15 AM |
| Subject: | Re: [ossec-list] Turn off rule? |
| Sent by: | [email protected] |
Hi Michael
I have a rule limiting alerts on 18154 events inside my local_rules.xml file
<rule id="101013" level="7" frequency="4" timeframe="1600">
<if_matched_sid>18154</if_matched_sid>
<match>WinEvtLog: System: ERROR(13): NPS:</match>
<description>turn down the noise on this event</description>
</rule>
My understanding is that this rule will generate an email (level 7) after more than 4 matching events, and will not send more than one alert every 1600 seconds.
http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf
Read the section on Understanding rules of this doc it helped me a lot to grasp alert filtering.
I'm still new to this. If someone sees an error with my rule, I don't mind if you point out the error of my ways...
cheers
-tom
----- Original Message -----
From: "Michael Barrett" <[email protected]>
To: [email protected]
Sent: Thursday, March 15, 2012 8:42:14 AM
Subject: [ossec-list] Turn off rule?
Is there a way to configure the ossec agent to ignore specific windows events? I have an application that is mis-behaving and its creating ossec alerts for multiple windows events
Rule: 18154 (level 10) -> 'Multiple Windows error events.'
Can I configure OSSEC agent to eliminate rule 18154?
____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * [email protected]
This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.
