Oh interesting! I assumed it was "unique" to that rule file. I'll try re-IDing them and see what happens.
On Thu, Apr 5, 2018 at 1:36 PM dan (ddp) <ddp...@gmail.com> wrote: > On Thu, Apr 5, 2018 at 11:04 AM, Cooper <coopertg...@gmail.com> wrote: > > Here's the rule from the error: > > > > <group name="syslog,access_control,"> > > <rule id="2501" level="0"> > > <match> esm</match> > > <group>authentication_failed,</group> > > <description>User authentication failure.</description> > > </rule> > > </group> > > > > If I comment it out, it just says the next rule is a duplicate, and so on > > and so on. None are overwrite rules. > > > > Here's rule 2501 in OSSEC > ( > https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml#L130 > ): > <group name="syslog,access_control,"> > <rule id="2501" level="5"> > <match>FAILED LOGIN |authentication failure|</match> > <match>Authentication failed for|invalid password for|</match> > <match>LOGIN FAILURE|auth failure: |authentication error|</match> > <match>authinternal failed|Failed to authorize|</match> > <match>Wrong password given for|login failed|Auth: Login > incorrect|</match> > <match>Failed to authenticate user</match> > <group>authentication_failed,</group> > <description>User authentication failure.</description> > </rule> > > So it looks like the custom rules implemented in your environment are > using the ID ranges used by the project. > I think rule id 100000+ are reserved for custom rules. > Anything below that could be used by the project at any time, possibly > conflicting with custom rules using the wrong ranges. > > > On Thursday, April 5, 2018 at 4:04:56 AM UTC-6, dan (ddpbsd) wrote: > >> > >> > >> > >> On Wed, Apr 4, 2018, 8:56 PM Cooper <coope...@gmail.com> wrote: > >>> > >>> Sorry Dan, I'm horribly new to managing ossec (yesterday). How would I > >>> know that? > >> > >> > >> Look for 'overwrite="yes"' in the rule. > >> > >> > >>> > >>> On Wednesday, April 4, 2018 at 6:54:14 PM UTC-6, dan (ddpbsd) wrote: > >>>> > >>>> > >>>> > >>>> On Wed, Apr 4, 2018, 8:50 PM Cooper <coope...@gmail.com> wrote: > >>>>> > >>>>> When trying to start our new 2.9.3 ossec server, i receive the > >>>>> following error: > >>>>> > >>>>> 2018/04/04 19:45:39 ossec-analysisd: Duplicate rule ID:2501 > >>>>> 2018/04/04 19:45:39 ossec-testrule(1220): ERROR: Error loading the > >>>>> rules: 'local_rules.xml'. > >>>>> > >>>>> However, inside local_rules, there's only one rule with an ID of > 2501. > >>>>> If I comment out that rule, it just says that the next rule is a > duplicate. > >>>>> These rules are being migrated from a working 2.7.2 install. Anyone > run > >>>>> into this before? > >>>> > >>>> > >>>> > >>>> Are these overwrite rules? > >>>> > >>>>> -- > >>>>> > >>>>> --- > >>>>> You received this message because you are subscribed to the Google > >>>>> Groups "ossec-list" group. > >>>>> To unsubscribe from this group and stop receiving emails from it, > send > >>>>> an email to ossec-list+...@googlegroups.com. > >>>>> For more options, visit https://groups.google.com/d/optout. > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > Groups > >>> "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an > >>> email to ossec-list+...@googlegroups.com. > >>> For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
