Hello Jb, Yeah I have noticed too; It initially led me to believe the comma was more of a good practice than a requirement but I removed it from rules/firewall_rules.xml, commented out the no log option on rule 4101, and confirmed that the comma was indeed needed.
Anyways, I've stumbled upon another issue that I hope isn't me screwing up again. I've been trying to make some firewall rules work ever since I started this thread and couldn't get the Alerts to show up on /var/ossec/logs/alerts/alerts.log. ossec-logtest would report everything triggered correctly but no alerts were being sent to the alerts.log file. It all points to the same firewall rule, 4101 inside rules/firewall_rules.xml. Steps to recreate my issue: 1. Edit rules/firewall_rules.xml on your* lab environment*. Comment out "<options>no_log</options>" 2. Save, restart OSSEC and send the following log to /var/log/messages or syslog: Mar 6 16:17:47 ubuntu kernel: [546741.275556] DROP IN=eth1 OUT= MAC=00:00:20:57:10:41:08:00:f3:0b:80:40:00:00 SRC=1.1.1.1 DST=2.2.2.2 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=11702 DF PROTO=TCP SPT=16966 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 3. Confirm you get the firewall log at /var/ossec/logs/alerts/alerts. ...all good so far. 4. Update rule 4101 inside rules/firewall_rules.xml again, this time remove "DROP" and type in "TEST". OSSEC's iptables decoder will still tag test as an action. 5. send out this log: Mar 6 16:17:47 ubuntu kernel: [546741.275556] TEST IN=eth1 OUT= MAC=00:00:20:57:10:41:08:00:f3:0b:80:40:00:00 SRC=1.1.1.1 DST=2.2.2.2 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=11702 DF PROTO=TCP SPT=16966 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 6. Notice how no logs are sent to /var/ossec/alerts/alerts.log *** /var/ossec/logs/firewall/firewall.log gets populated with a new entry: 2013 Mar 07 08:17:59 ubuntu->/var/log/messages CLOSED TCP 1.1.1.1:16966->2.2.2.2:80 END. Tested on version 2.7 (server mode) under ubuntu 10.04.3 LTS. No local_decoders and no local_rules(dummy rule inside). Thanks in advance, -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
