Hi All,
I've successfully installed ossec-hids version 2.8 on a server, with agents
but I am having very odd problems with hostname matching. I've pasted the
log output (redacted the ip addresses).
I have something like this in local_rules.xml:
<rule id="100132" level="3">
<if_group>authentication_success,</if_group>
<description>PHC POLICY - Login to server</description>
</rule>
<rule id="100133" level="9">
<if_sid>100132</if_sid>
<hostname>579806-db1</hostname>
<description>PHC POLICY - Login to DB1 machine</description>
<group>policy_violation</group>
</rule>
I paste the log line:
Aug 12 14:46:49 579806-db1 sshd[35664]: Accepted publickey for elias from
***.***.***.*** port 53036 ssh2
into the rules tester and I get whats expected:
Aug 12 14:46:49 579806-db1 sshd[35664]: Accepted publickey for elias from
***.***.***.*** port 53036 ssh2
**Phase 1: Completed pre-decoding.
full event: 'Aug 12 14:46:49 579806-db1 sshd[35664]: Accepted
publickey for elias from ***.***.***.*** port 53036 ssh2'
hostname: '579806-db1'
program_name: 'sshd'
log: 'Accepted publickey for elias from ***.***.***.*** port 53036
ssh2'
**Phase 2: Completed decoding.
decoder: 'sshd'
dstuser: 'elias'
srcip: '***.***.***.***'
**Phase 3: Completed filtering (rules).
Rule id: '10100'
Level: '4'
Description: 'First time user logged in.'
**Alert to be generated.
Aug 12 14:46:49 579806-db1 sshd[35664]: Accepted publickey for elias from
***.***.***.*** port 53036 ssh2
**Phase 1: Completed pre-decoding.
full event: 'Aug 12 14:46:49 579806-db1 sshd[35664]: Accepted
publickey for elias from ***.***.***.*** port 53036 ssh2'
hostname: '579806-db1'
program_name: 'sshd'
log: 'Accepted publickey for elias from ***.***.***.*** port 53036
ssh2'
**Phase 2: Completed decoding.
decoder: 'sshd'
dstuser: 'elias'
srcip: '***.***.***.***'
**Phase 3: Completed filtering (rules).
Rule id: '100133'
Level: '9'
Description: 'PHC POLICY - Login to DB1 machine'
**Alert to be generated.
So far so good.
But then when I restart the servers this never ever matches. It only ever
matches the parent rule 100132: (from alerts.log)
** Alert 1407819130.465414: - local,syslog,
2014 Aug 12 14:52:10 (db1) ***.***.***.***->/var/log/secure
Rule: 100132 (level 3) -> 'PHC POLICY - Login to server'
Src IP: ***.***.***.***
User: elias
Aug 12 14:52:09 579806-db1 sshd[36577]: Accepted publickey for elias from
***.***.***.*** port 53045 ssh2
** Alert 1407819130.465718: - local,syslog,
2014 Aug 12 14:52:10 (db1) ***.***.***.***->/var/log/secure
Rule: 100132 (level 3) -> 'PHC POLICY - Login to server'
Aug 12 14:52:09 579806-db1 sshd[36577]: pam_unix(sshd:session): session
opened for user elias by (uid=0)
The WEIRD part is that if I remove the digits and the - from the hostname
it works! This is a problem because then the rule then matches both the
bi-db1 host and the 579806-db1
<rule id="100133" level="9">
<if_sid>100132</if_sid>
<hostname>db1</hostname>
<description>PHC POLICY - Login to DB1 machine</description>
<group>policy_violation</group>
</rule>
** Alert 1407821505.484739: mail - local,syslog,policy_violation
2014 Aug 12 15:31:45 (db1) ***.***.***.***->/var/log/secure
Rule: 100133 (level 9) -> 'PHC POLICY - Login to DB1 machine'
Src IP: ***.***.***.***
User: elias
Aug 12 15:31:43 579806-db1 sshd[39979]: Accepted publickey for elias from
***.***.***.*** port 53374 ssh2
** Alert 1407821505.485070: mail - local,syslog,policy_violation
2014 Aug 12 15:31:45 (db1) ***.***.***.***->/var/log/secure
Rule: 100133 (level 9) -> 'PHC POLICY - Login to DB1 machine'
Aug 12 15:31:43 579806-db1 sshd[39979]: pam_unix(sshd:session): session
opened for user elias by (uid=0)
The agents are running on RHEL 6.5, and the server is Centos 6.5. I've
compiled everything from source.
Any ideas?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
