Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)
Hi, yes, a cdb list is what you need. 1. Create the list: /var/ossec/lists/allow_users.txt $ cat allow_users jesuslinares: maxim: 2. Add the file to ossec.conf: lists/allow_users 3. Compile the list $ /var/ossec/bin/ossec-makelists 4. Use in your rules: lists/allow_users Example: LOGIN user '(\S+)' user ExampleLogin authentication_success LOGIN authentication_success Bad user 100011 *lists/allow_usersAllow user* Regards. Jesus Linares. On Thursday, March 3, 2016 at 12:50:06 PM UTC+1, dan (ddpbsd) wrote: > > > On Mar 3, 2016 6:30 AM, "Maxim Surdu" > > wrote: > > > > is it a solution but can i create a list and a rule to read all my > list from the file, or something like this because now i have 300 clinets > but it can be more and it will not working more. > > > > If that username isdecoded into a user field, you might be able to create > a cdb database and filter based on that. > > > thanks for your responsiveness > > > > joi, 3 martie 2016, 12:13:36 UTC+2, dan (ddpbsd) a scris: > >> > >> > >> On Mar 3, 2016 4:18 AM, "Maxim Surdu" wrote: > >> > > >> > Hi dear community, > >> > > >> > i install and configure about 10 agents, and of course i have a lot > of users,a part of this users are ftp Clients > >> > > >> > in policy-rules.xml > >> > > >> > i have next rules > >> > > >> > > >> > > >> > authentication_success > >> > 4 pm - 7 am > >> > Successful login during non-business > hours. > >> > login_time, > >> > > >> > > >> > > >> > authentication_success > >> > weekends > >> > Successful login during weekend. > >> > login_day, > >> > > >> > > >> > > >> > > >> > OSSEC HIDS Notification. > >> > > >> > 2016 Mar 02 19:05:41 > >> > > >> > > >> > > >> > Received From: (host.xx.xx) xxx.xxx.xxx.xxx->/var/log/messages > >> > > >> > Rule: 17101 fired (level 9) -> "Successful login during non-business > hours." > >> > > >> > Portion of the log(s): > >> > > >> > > >> > > >> > Mar 2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is > now logged in > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > --END OF NOTIFICATION > >> > > >> > > >> > > >> > > >> > transpor is username of my client > >> > > >> > and i add a rule to ignore alerts of this users because they are > clients > >> > in local_rules i create next rule to ignore "Successful login during > non-business hours" and "Successful login during weekend" for FTP clinets > >> > > >> > > >> > > >> > authentication_success > >> > 4 pm - 7 am > >> > Successful login during non-business > hours. > >> > login_time,pci_dss_10.2.5,pci_dss_10.6.1, > >> > > >> > > >> > > >> > authentication_success > >> > weekends > >> > Successful login during weekend. > >> > login_day,pci_dss_10.2.5,pci_dss_10.6.1, > >> > > >> > > >> > > >> > > >> > 17101 > >> >transpor | client1 | client2 | client3 | ... | > client 50 > >> > Sesion open by Client > >> > > >> > > >> > > >> > 17102 > >> > transpor | client1 | client2 | client3 | ... | > client 50 > >> > Sesion open by Client > >> > > >> > > >> > > >> > because i have a lot of clients ossec give me error and not started, > how can manage or edit this rule ? > >> > > >> > >> Have you tried to create multiple rules, each with only a portion of > the client list? > >> > >> > i appreciate your help, and a lot of respect for developers and > community! > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an email to ossec-list+...@googlegroups.com. > >> > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)
On Mar 3, 2016 6:30 AM, "Maxim Surdu" wrote: > > is it a solution but can i create a list and a rule to read all my list from the file, or something like this because now i have 300 clinets but it can be more and it will not working more. > If that username isdecoded into a user field, you might be able to create a cdb database and filter based on that. > thanks for your responsiveness > > joi, 3 martie 2016, 12:13:36 UTC+2, dan (ddpbsd) a scris: >> >> >> On Mar 3, 2016 4:18 AM, "Maxim Surdu" wrote: >> > >> > Hi dear community, >> > >> > i install and configure about 10 agents, and of course i have a lot of users,a part of this users are ftp Clients >> > >> > in policy-rules.xml >> > >> > i have next rules >> > >> > >> > >> > authentication_success >> > 4 pm - 7 am >> > Successful login during non-business hours. >> > login_time, >> > >> > >> > >> > authentication_success >> > weekends >> > Successful login during weekend. >> > login_day, >> > >> > >> > >> > >> > OSSEC HIDS Notification. >> > >> > 2016 Mar 02 19:05:41 >> > >> > >> > >> > Received From: (host.xx.xx) xxx.xxx.xxx.xxx->/var/log/messages >> > >> > Rule: 17101 fired (level 9) -> "Successful login during non-business hours." >> > >> > Portion of the log(s): >> > >> > >> > >> > Mar 2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is now logged in >> > >> > >> > >> > >> > >> > >> > >> > --END OF NOTIFICATION >> > >> > >> > >> > >> > transpor is username of my client >> > >> > and i add a rule to ignore alerts of this users because they are clients >> > in local_rules i create next rule to ignore "Successful login during non-business hours" and "Successful login during weekend" for FTP clinets >> > >> > >> > >> > authentication_success >> > 4 pm - 7 am >> > Successful login during non-business hours. >> > login_time,pci_dss_10.2.5,pci_dss_10.6.1, >> > >> > >> > >> > authentication_success >> > weekends >> > Successful login during weekend. >> > login_day,pci_dss_10.2.5,pci_dss_10.6.1, >> > >> > >> > >> > >> > 17101 >> >transpor | client1 | client2 | client3 | ... | client 50 >> > Sesion open by Client >> > >> > >> > >> > 17102 >> > transpor | client1 | client2 | client3 | ... | client 50 >> > Sesion open by Client >> > >> > >> > >> > because i have a lot of clients ossec give me error and not started, how can manage or edit this rule ? >> > >> >> Have you tried to create multiple rules, each with only a portion of the client list? >> >> > i appreciate your help, and a lot of respect for developers and community! >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)
is it a solution but can i create a list and a rule to read all my list from the file, or something like this because now i have 300 clinets but it can be more and it will not working more. thanks for your responsiveness joi, 3 martie 2016, 12:13:36 UTC+2, dan (ddpbsd) a scris: > > > On Mar 3, 2016 4:18 AM, "Maxim Surdu" > > wrote: > > > > Hi dear community, > > > > i install and configure about 10 agents, and of course i have a lot of > users,a part of this users are ftp Clients > > > > in policy-rules.xml > > > > i have next rules > > > > > > > > authentication_success > > 4 pm - 7 am > > Successful login during non-business > hours. > > login_time, > > > > > > > > authentication_success > > weekends > > Successful login during weekend. > > login_day, > > > > > > > > > > OSSEC HIDS Notification. > > > > 2016 Mar 02 19:05:41 > > > > > > > > Received From: (host.xx.xx) xxx.xxx.xxx.xxx->/var/log/messages > > > > Rule: 17101 fired (level 9) -> "Successful login during non-business > hours." > > > > Portion of the log(s): > > > > > > > > Mar 2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is > now logged in > > > > > > > > > > > > > > > > --END OF NOTIFICATION > > > > > > > > > > transpor is username of my client > > > > and i add a rule to ignore alerts of this users because they are clients > > in local_rules i create next rule to ignore "Successful login during > non-business hours" and "Successful login during weekend" for FTP clinets > > > > > > > > authentication_success > > 4 pm - 7 am > > Successful login during non-business > hours. > > login_time,pci_dss_10.2.5,pci_dss_10.6.1, > > > > > > > > authentication_success > > weekends > > Successful login during weekend. > > login_day,pci_dss_10.2.5,pci_dss_10.6.1, > > > > > > > > > > 17101 > >transpor | client1 | client2 | client3 | ... | client > 50 > > Sesion open by Client > > > > > > > > 17102 > > transpor | client1 | client2 | client3 | ... | client > 50 > > Sesion open by Client > > > > > > > > because i have a lot of clients ossec give me error and not started, how > can manage or edit this rule ? > > > > Have you tried to create multiple rules, each with only a portion of the > client list? > > > i appreciate your help, and a lot of respect for developers and > community! > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)
On Mar 3, 2016 4:18 AM, "Maxim Surdu" wrote: > > Hi dear community, > > i install and configure about 10 agents, and of course i have a lot of users,a part of this users are ftp Clients > > in policy-rules.xml > > i have next rules > > > > authentication_success > 4 pm - 7 am > Successful login during non-business hours. > login_time, > > > > authentication_success > weekends > Successful login during weekend. > login_day, > > > > > OSSEC HIDS Notification. > > 2016 Mar 02 19:05:41 > > > > Received From: (host.xx.xx) xxx.xxx.xxx.xxx->/var/log/messages > > Rule: 17101 fired (level 9) -> "Successful login during non-business hours." > > Portion of the log(s): > > > > Mar 2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is now logged in > > > > > > > > --END OF NOTIFICATION > > > > > transpor is username of my client > > and i add a rule to ignore alerts of this users because they are clients > in local_rules i create next rule to ignore "Successful login during non-business hours" and "Successful login during weekend" for FTP clinets > > > > authentication_success > 4 pm - 7 am > Successful login during non-business hours. > login_time,pci_dss_10.2.5,pci_dss_10.6.1, > > > > authentication_success > weekends > Successful login during weekend. > login_day,pci_dss_10.2.5,pci_dss_10.6.1, > > > > > 17101 >transpor | client1 | client2 | client3 | ... | client 50 > Sesion open by Client > > > > 17102 > transpor | client1 | client2 | client3 | ... | client 50 > Sesion open by Client > > > > because i have a lot of clients ossec give me error and not started, how can manage or edit this rule ? > Have you tried to create multiple rules, each with only a portion of the client list? > i appreciate your help, and a lot of respect for developers and community! > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Error reading XML file 'rules//local_rules.xml': XMLERR: String overflow. (line 89)
Hi dear community, i install and configure about 10 agents, and of course i have a lot of users,a part of this users are ftp Clients in policy-rules.xml i have next rules authentication_success 4 pm - 7 am Successful login during non-business hours. login_time, authentication_success weekends Successful login during weekend. login_day, OSSEC HIDS Notification. 2016 Mar 02 19:05:41 Received From: (host.xx.xx) xxx.xxx.xxx.xxx->/var/log/messages Rule: 17101 fired (level 9) -> "Successful login during non-business hours." Portion of the log(s): Mar 2 21:05:38 host pure-ftpd: (?@xxx.xxx.xx.xxx) [INFO] transpor is now logged in --END OF NOTIFICATION transpor is username of my client and i add a rule to ignore alerts of this users because they are clients in local_rules i create next rule to ignore "Successful login during non-business hours" and "Successful login during weekend" for FTP clinets authentication_success 4 pm - 7 am Successful login during non-business hours. login_time,pci_dss_10.2.5,pci_dss_10.6.1, authentication_success weekends Successful login during weekend. login_day,pci_dss_10.2.5,pci_dss_10.6.1, 17101 transpor | client1 | client2 | client3 | ... | client 50 Sesion open by Client 17102 transpor | client1 | client2 | client3 | ... | client 50 Sesion open by Client because i have a lot of clients ossec give me error and not started, how can manage or edit this rule ? i appreciate your help, and a lot of respect for developers and community! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.