Hi Dan, Not sure why ... ( but luckely this box is for lab / dev/ Test so thats a good thing ) ... I had 2 rules directories ... one under /var/ossec/rules and another one under /var/ossec/etc/rules . I was doing my edits to the files under /var/ossec/etc/rules .. instead of the correct directory /var/ossec/rules ... when I added my rules (and the appropriate ossec.conf stanza) to that directory it all started to work :)
Thanks! -----Opprinnelig melding----- Fra: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] På vegne av dan (ddp) Sendt: 24. april 2015 16:04 Til: ossec-list@googlegroups.com Emne: Re: [ossec-list] Not able to apply custom rule On Wed, Apr 22, 2015 at 4:03 PM, Linus Myrefelt <linus.myref...@statnett.no> wrote: > Hi All, > > I have been doing some googleing and I hope .. or at least I hoped that my > skillz would have been up for the task .. .however ... I am struggling with > to get ossec to read my "custom" rules. > > I have in /var/ossec/etc/rules.d/local_rules.xml that looks as follows: > > cat /var/ossec/etc/rules.d/local_rules.xml > <rule id="700006" level="10"> > <if_sid>18104,5501,5503,5504,40101,40112,10100</if_sid> > <time>7:00 pm - 7:00 am</time> > <description>User logon outside business hours.</description> > <group>policy_violation</group> > </rule> > > In /var/ossec/etc/ossec-server.conf > <include>local_rules.xml</include> > > > Which I was hoping for being able to fire off an alert if we have some > authentications happening between 7 and 7 . > This is just a kind of mockuped-test ... > > Should be straightforward right? > What have I been doing wrong it ? logtest seems to be able to read in my > local_rules.xml ... but applying or lists my custom rule ... no matter have > "many" rules I have it still spits out the same number of rules. > > Thanks! > > However this is the results from testing; > /var/ossec/bin/ossec-logtest -v > 2015/04/22 21:55:38 ossec-testrule: INFO: Reading decoder file > etc/local_decoder. xml. > 2015/04/22 21:55:38 ossec-testrule: INFO: Reading decoder file > etc/decoder.xml. > 2015/04/22 21:55:38 ossec-testrule: INFO: Started (pid: 11140). > ossec-testrule: Type one log per line. > > Apr 22 21:25:02 <hostname> sshd[3141]: pam_unix(sshd:session): session opened > for user root by (uid=0) > > > **Phase 1: Completed pre-decoding. > full event: 'Apr 22 21:25:02 <hostname> sshd[3141]: > pam_unix(sshd:session): session opened for user root by (uid=0)' Are you running the logtest after 7pm? OSSEC doesn't read the timestamp from the event, it uses the timestamp of when the event was received. > hostname: '<hostname>' > program_name: 'sshd' > log: 'pam_unix(sshd:session): session opened for user root by (uid=0)' > > **Phase 2: Completed decoding. > decoder: 'pam' > > **Rule debugging: > Trying rule: 1 - Generic template for all syslog rules. > *Rule 1 matched. > *Trying child rules. > Trying rule: 5500 - Grouping of the pam_unix rules. > *Rule 5500 matched. > *Trying child rules. > Trying rule: 5552 - PAM and gdm are not playing nicely. > Trying rule: 5503 - User login failed. > Trying rule: 5504 - Attempt to login with an invalid user. > Trying rule: 5501 - Login session opened. > *Rule 5501 matched. > *Trying child rules. > Trying rule: 5521 - Ignoring Annoying Ubuntu/debian cron login events. > Trying rule: 40101 - System user successfully logged to the system. > Trying rule: 40112 - Multiple authentication failures followed by a > success. > Trying rule: 10100 - First time user logged in. > > **Phase 3: Completed filtering (rules). > Rule id: '5501' > Level: '3' > Description: 'Login session opened.' > **Alert to be generated. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
