Hello Dan, Thanks for the <time> option.
I failed to used it. Here is what's I did : * Edit file etc/ossec.conf * Add in <ossec_config/rules> the line : <include>my_rules.xml</include> * File rules/my_rules.xml : > <group name="local,syslog,access_control,"> > > <rule id="2300010" level="10"> > <if_sid>2501</if_sid> > <time>19:00 - 07:00</time> > <description>Not allowed time slot</description> > </rule> > </group> > > <!-- EOF --> > I've tested the following messages with ossec-logtest : === Dec 5 13:26:42 test-computer pam: gdm-password: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=foo === **Phase 1: Completed pre-decoding. full event: 'Dec 5 13:26:42 test-computer pam: gdm-password: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=foo' hostname: 'test-computer' program_name: 'pam' log: 'gdm-password: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=foo' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '2501' Level: '5' Description: 'User authentication failure.' **Alert to be generated. It's the nominal case. all is ok. === Dec 5 03:26:42 test-computer pam: gdm-password: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=foo === **Phase 1: Completed pre-decoding. full event: 'Dec 5 03:26:42 test-computer pam: gdm-password: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=foo' hostname: 'test-computer' program_name: 'pam' log: 'gdm-password: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=foo' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '2501' Level: '5' Description: 'User authentication failure.' **Alert to be generated. Here, my rule doesn't work. Where I'm wrong? Thanks in advance 2017-01-19 19:12 GMT+01:00 dan (ddp) <ddp...@gmail.com>: > On Thu, Jan 19, 2017 at 11:18 AM, Bertrand Danos <mille...@gmail.com> > wrote: > > Hello, > > > > Is it possible to generate alerts on events that are outside a specific > time > > slot? > > > > By sample, detect each user that connect on a computer outside the > (08:00 - > > 20:00) timeslot. > > > >> Jan 19 07:00:00 test-computer runuser: pam_unix(runuser:session): > session > >> opened for user foo by (uid=0) > > > > > > Perhaps the <time> option will help: > https://ossec.github.io/docs/syntax/head_rules.html#element-time > > > > > Thanks in advance for your help. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.