Hello Dan,
Thanks for the <time> option.
I failed to used it.
Here is what's I did :
* Edit file etc/ossec.conf
* Add in <ossec_config/rules> the line : <include>my_rules.xml</include>
* File rules/my_rules.xml :
> <group name="local,syslog,access_control,">
>
> <rule id="2300010" level="10">
> <if_sid>2501</if_sid>
> <time>19:00 - 07:00</time>
> <description>Not allowed time slot</description>
> </rule>
> </group>
>
> <!-- EOF -->
>
I've tested the following messages with ossec-logtest :
===
Dec 5 13:26:42 test-computer pam: gdm-password:
pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0
tty=:0 ruser= rhost= user=foo
===
**Phase 1: Completed pre-decoding.
full event: 'Dec 5 13:26:42 test-computer pam: gdm-password:
pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0
tty=:0 ruser= rhost= user=foo'
hostname: 'test-computer'
program_name: 'pam'
log: 'gdm-password: pam_unix(gdm-password:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=foo'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '2501'
Level: '5'
Description: 'User authentication failure.'
**Alert to be generated.
It's the nominal case. all is ok.
===
Dec 5 03:26:42 test-computer pam: gdm-password:
pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0
tty=:0 ruser= rhost= user=foo
===
**Phase 1: Completed pre-decoding.
full event: 'Dec 5 03:26:42 test-computer pam: gdm-password:
pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0
tty=:0 ruser= rhost= user=foo'
hostname: 'test-computer'
program_name: 'pam'
log: 'gdm-password: pam_unix(gdm-password:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=foo'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '2501'
Level: '5'
Description: 'User authentication failure.'
**Alert to be generated.
Here, my rule doesn't work.
Where I'm wrong?
Thanks in advance
2017-01-19 19:12 GMT+01:00 dan (ddp) <ddp...@gmail.com>:
> On Thu, Jan 19, 2017 at 11:18 AM, Bertrand Danos <mille...@gmail.com>
> wrote:
> > Hello,
> >
> > Is it possible to generate alerts on events that are outside a specific
> time
> > slot?
> >
> > By sample, detect each user that connect on a computer outside the
> (08:00 -
> > 20:00) timeslot.
> >
> >> Jan 19 07:00:00 test-computer runuser: pam_unix(runuser:session):
> session
> >> opened for user foo by (uid=0)
> >
> >
>
> Perhaps the <time> option will help:
> https://ossec.github.io/docs/syntax/head_rules.html#element-time
>
> >
> > Thanks in advance for your help.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
