[ossec-list] Re: Need some help with ossec rule processing

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Rich,

The problem is that ossec differentiate between windows and unix messages. So,
if you forward windows to syslog, they will all be triggered as
syslog. The second
problem is that the windows decoder at ossec expects the logs to be in the
format that the ossec agent writes it (which is different from the snare format,
for example).

Regarding the rules, they are not really like a firewall... Ossec re-organizes
the rules based on their severity. So, high severity rules are matched first.
Other thing is that ossec rules are highly dependent on the previous ones.
So, if you do a rule like that

<rule id="12345" level="0">
 <if_sid>102</if_sid>
 <regex>Windows rule 1|Windows rule 2</regex>
 <description>ignoring bad rules</description>
</rule>

For the windows rules that are generating false positives, they will be
ignored (rule 102 = Unknown problem somewhere in the system)...


Other thing that I would suggest is to use ossec to extract the logs directly
from your windows systems. It compress and encrypts the data in transit,
which most windows syslog applications do not do. After ossec server received
the data, you can use some of the provided modules to extract them to
a database if you want to.

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 8/8/06, Zanni, Richard B <zanni@xxxxxxxxxxx> wrote:
> I am using syslog-ng in a mixed environment (Linux/Unix/Win).  Windows
> events are forwarded to the syslog-ng server via an eventlog-to-syslog
> utility.  Events are stored in a mysql db and retrieved using php-syslog-ng.
>  I needed some way to analyze the logs automatically and thought ossec might
> be a nice fit.  I've got ossec as a "local" installation on the syslog-ng
> server and began doing some testing.
>
>
>
> In order to have ossec analyze the incoming events, I configured syslog-ng
> to dump all events to a file (in addition to the db) and then pointed ossec
> at the file.  However, since both M$ and unix syslog messages are mixed
> together, and the <log_format> is specified as "syslog", "windows" events
> keep triggering with:
>
> Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system." (ie:
> There's some string in the M$ eventlog like failure, error, etc).
>
>
>
> I'm a little confused about how the rules work.  I read in another post that
> they behave like firewall rules.  I assume they get processed in order of
> "rule_id" and stop at the first match.
>
>
>
> So, then I tried writing the unix messages to one file and windows messages
> to another.  However, when I specify the <log_format> for the windows
> messages as "eventlog", I receive this error when starting up ossec:
>
>
>
> Starting OSSEC HIDS v0.9 (by Daniel B. Cid)...
>
> 2006/08/08 09:07:00 ossec-logcollector(1903): Invalid event log:
> '/var/log/syslog-ng/winevents.all'.
>
> 2006/08/08 09:07:00 ossec-logcollector(1202): Configuration problem.
> Exiting.
>
> 2006/08/08 09:07:00 ossec-logcollector(1202): Configuration problem.
> Exiting.
>
> ossec-logcollector: Configuration error. Exiting
>
>
>
> Since the MS eventlog messages are being written in a syslog format, do I
> need to customize the rules to process them correctly?
>
> Am I missing something obvious here?
>
> Thanks for your help…
>
>
>
> - Rich