On Mar 3, 2016 6:30 AM, "Maxim Surdu" <maxsu...@gmail.com> wrote: > > is it a solution but can i create a list and a rule to read all my list from the file, or something like this because now i have 300 clinets but it can be more and it will not working more. >
If that username isdecoded into a user field, you might be able to create a cdb database and filter based on that. > thanks for your responsiveness > > joi, 3 martie 2016, 12:13:36 UTC+2, dan (ddpbsd) a scris: >> >> >> On Mar 3, 2016 4:18 AM, "Maxim Surdu" <maxs...@gmail.com> wrote: >> > >> > Hi dear community, >> > >> > i install and configure about 10 agents, and of course i have a lot of users,a part of this users are ftp Clients >> > >> > in policy-rules.xml >> > >> > i have next rules >> > >> > <group name="policy_violation,"> >> > <rule id="17101" level="9"> >> > <if_group>authentication_success</if_group> >> > <time>4 pm - 7 am</time> >> > <description>Successful login during non-business hours.</description> >> > <group>login_time,</group> >> > </rule> >> > >> > <rule id="17102" level="9"> >> > <if_group>authentication_success</if_group> >> > <weekday>weekends</weekday> >> > <description>Successful login during weekend.</description> >> > <group>login_day,</group> >> > </rule> >> > >> > >> > >> > OSSEC HIDS Notification. >> > >> > 2016 Mar 02 19:05:41 >> > >> > >> > >> > Received From: (host.xxxxxx.xx) xxx.xxx.xxx.xxx->/var/log/messages >> > >> > Rule: 17101 fired (level 9) -> "Successful login during non-business hours." >> > >> > Portion of the log(s): >> > >> > >> > >> > Mar 2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is now logged in >> > >> > >> > >> > >> > >> > >> > >> > --END OF NOTIFICATION >> > >> > >> > >> > >> > transpor is username of my client >> > >> > and i add a rule to ignore alerts of this users because they are clients >> > in local_rules i create next rule to ignore "Successful login during non-business hours" and "Successful login during weekend" for FTP clinets >> > >> > <group name="policy_violation_overwrite,"> >> > <rule id="17101" level="9" overwrite="yes"> >> > <if_group>authentication_success</if_group> >> > <time>4 pm - 7 am</time> >> > <description>Successful login during non-business hours.</description> >> > <group>login_time,pci_dss_10.2.5,pci_dss_10.6.1,</group> >> > </rule> >> > >> > <rule id="17102" level="9" overwrite="yes"> >> > <if_group>authentication_success</if_group> >> > <weekday>weekends</weekday> >> > <description>Successful login during weekend.</description> >> > <group>login_day,pci_dss_10.2.5,pci_dss_10.6.1,</group> >> > </rule> >> > >> > >> > <rule id="100002" level="3"> >> > <if_sid>17101</if_sid> >> > <match> transpor | client1 | client2 | client3 | ....... | client 50 </match> >> > <description>Sesion open by Client</description> >> > </rule> >> > >> > <rule id="100003" level="3"> >> > <if_sid>17102</if_sid> >> > <match> transpor | client1 | client2 | client3 | ....... | client 50 </match> >> > <description>Sesion open by Client</description> >> > </rule> >> > >> > >> > because i have a lot of clients ossec give me error and not started, how can manage or edit this rule ? >> > >> >> Have you tried to create multiple rules, each with only a portion of the client list? >> >> > i appreciate your help, and a lot of respect for developers and community! >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
