On Fri, Mar 16, 2012 at 10:40 AM, Michael Barrett <[email protected]>wrote:
> > I tried the rule change below and got an error when I tried to start ossec. > > -bash-3.2# /etc/init.d/ossec-hids start > Starting ossec-hids: 2012/03/16 09:37:46 ossec-testrule: INFO: Reading > local dec > oder file. > 2012/03/16 09:37:46 rules_op: Invalid root element "rule".Only "group" is > allowe d > ^^^^^ > 2012/03/16 09:37:46 ossec-testrule(1220): ERROR: Error loading the rules: > 'local > _rules.xml'. > 2012/03/16 09:37:46 ossec-maild: INFO: E-Mail notification disabled. Clean > Exit. > 2012/03/16 09:37:46 ossec-logcollector(1905): INFO: No file configured to > monito r. > 2012/03/16 09:37:49 ossec-syscheckd(1210): ERROR: Queue > '/var/ossec/queue/ossec/ > queue' not accessible: 'Connection refused'. > 2012/03/16 09:37:49 ossec-rootcheck(1210): ERROR: Queue > '/var/ossec/queue/ossec/ > queue' not accessible: 'Connection refused'. > > > Then I tried the example from the book to disable the rule altogether and > got the same error > > > Here is the file, can someone tell me what I did wrong please? > > -bash-3.2# cat local_rules.xml.filter > <!-- @(#) $Id$ > - Example of local rules for OSSEC. > - > - Copyright (C) 2009 Trend Micro Inc. > - All rights reserved. > - > - This program is a free software; you can redistribute it > - and/or modify it under the terms of the GNU General Public > - License (version 2) as published by the FSF - Free Software > - Foundation. > - > - License details: http://www.ossec.net/en/licensing.html > --> > > <group name="local,"> <rule id="101013" level="0"> > <if_sid>18154</if_sid> > <description>turn down the noise on this event</description> > </rule> > > <!-- Modify it at your will. --> > > <!-- > <group name="local,syslog,"> > > --> > <!-- Note that rule id 5711 is defined at the ssh_rules file > - as a ssh failed login. This is just an example > - since ip 1.1.1.1 shouldn't be used anywhere. > - Level 0 means ignore. > --> > <rule id="100001" level="0"> > <if_sid>5711</if_sid> > <srcip>1.1.1.1</srcip> > <description>Example of rule that will ignore sshd </description> > <description>failed logins from IP 1.1.1.1.</description> > </rule> > > > <!-- This example will ignore ssh failed logins for the user name XYZABC. > --> > <!-- > <rule id="100020" level="0"> > <if_sid>5711</if_sid> > <user>XYZABC</user> > <description>Example of rule that will ignore sshd </description> > <description>failed logins for user XYZABC.</description> > </rule> > --> > > > <!-- Specify here a list of rules to ignore. --> > <!-- > <rule id="100030" level="0"> > <if_sid>12345, 23456, xyz, abc</if_sid> > <description>List of rules to be ignored.</description> > </rule> > --> > > <rule id="101013" level="7" frequency="4" timeframe="1600"> > <if_matched_sid>18154</if_matched_sid> > <match>WinEvtLog: System: ERROR(10009): DCOM:</match> > <description>turn down the noise on this event</description> > </rule> > > > > </group> <!-- SYSLOG,LOCAL --> > > > <!-- EOF --> > *____________________________________________* > *Michael Barrett* <[email protected]>* *| *Information Security > Analyst - Lead* | *Mortgage Guaranty Insurance > Corporation*<http://www.mgic.com/> > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > 1.888.601.4440 | * [email protected] > > This message is intended for use only by the person(s) addressed above and > may contain privileged and confidential information. Disclosure or use of > this message by any other person is strictly prohibited. If this message is > received in error, please notify the sender immediately and delete this > message. > > > > From: Thomas Bartos <[email protected]> To: > [email protected] Date: 03/15/2012 11:15 AM Subject: Re: > [ossec-list] Turn off rule? Sent by: [email protected] > ------------------------------ > > > > Hi Michael > > I have a rule limiting alerts on 18154 events inside my local_rules.xml > file > <rule id="101013" level="7" frequency="4" timeframe="1600"> > <if_matched_sid>18154</if_matched_sid> > <match>WinEvtLog: System: ERROR(13): NPS:</match> > <description>turn down the noise on this event</description> > </rule> > My understanding is that this rule will generate an email (level 7) after > more than 4 matching events, and will not send more than one alert every > 1600 seconds. > > http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf > Read the section on Understanding rules of this doc it helped me a lot to > grasp alert filtering. > > I'm still new to this. If someone sees an error with my rule, I don't > mind if you point out the error of my ways... > cheers > -tom > > ----- Original Message ----- > From: "Michael Barrett" <[email protected]> > To: [email protected] > Sent: Thursday, March 15, 2012 8:42:14 AM > Subject: [ossec-list] Turn off rule? > > > Is there a way to configure the ossec agent to ignore specific windows > events? I have an application that is mis-behaving and its creating ossec > alerts for multiple windows events > > Rule: 18154 (level 10) -> 'Multiple Windows error events.' > > Can I configure OSSEC agent to eliminate rule 18154? > > ____________________________________________ > Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty > Insurance Corporation > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > 1.888.601.4440 | * [email protected] > > This message is intended for use only by the person(s) addressed above and > may contain privileged and confidential information. Disclosure or use of > this message by any other person is strictly prohibited. If this message is > received in error, please notify the sender immediately and delete this > message. > > >
