[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: another local_rules.xml question

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: another local_rules.xml question
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Fri, 20 Apr 2007 18:23:44 -0300
Content-disposition: inline
Content-transfer-encoding: quoted-printable
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Agc4MS+0jI7TKanwApfA24R9YCAeKgEzpS2PP1YSJElNkyE72fIE98Qu4fEtqsz3u4zaPnE8GudsLEr1E9F+vzsfHd3cDoJ9vUwrWZlSqojaZgS2LsFnXsWjd3Rsm9ncTJy7Lt6ONE3IZI4Pg820DkQENHTQ+3pkZJcEdSvfKyc=


Hi Chad,

First of all, you are only getting these alerts because your IIS logs
are not configured
in a way that ossec understands it. The following link explains what you need to
enable in your logs for it to work (ossec expects every field enabled):

http://www.ossec.net/en/manual.html#iis

However, if you can't re-configure IIS for any reason, try removing the spaces
from your local rule (your log does not have spaces before pageerror) and
restarting ossec.

from:
<match> pageerror.aspx </match>

to:
<match>pageerror.aspx </match>

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net


On 4/20/07, Chad Rober <chadrober@xxxxxxxxx> wrote:



I know this has been covered over and over again but I can't seem to make it
work.



Here is my setup:



Windows box generating these:



2007-04-20 04:52:27 192.168.1.100 GET /folder1/path2/pageerror.aspx -
70.44.101.88 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+Media+Center+PC+5.0;+.NET+CLR+3.0.04506)
– www.mydomainname.com 200 0 0 1729 443 93



OSSEC generating these:



OSSEC HIDS Notification.

2007 Apr 20 00:49:55



Received From: (webserver1) 192.168.1.100->\IIS Log Files\W3SVC\ex070420.log

Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."

Portion of the log(s):

<see above>

 --END OF NOTIFICATION



So I added this to my ossec.conf on the windows box



<ossec_config>



<!-- rules global entry -->

  <rules>

    <include>local_rules.xml</include>

  </rules>

</ossec_config>



And this to the local_rules.xml file on the windows box



<group name="local">

      <rule id="123456" level="0">

            <if_sid>1002</if_sid>

            <match> pageerror.aspx </match>

            <description>Events ignored</description>

      </rule>



</group>



…and restarted both the server and the client.



But yet I still receive the notifications.  I've read about the rule id
needing to be in the 10xxxx range so I changed that but it didn't help.




Thanks a ton!

Chad

References:
- [ossec-list] another local_rules.xml question
  - From: Chad Rober

Prev by Date: [ossec-list] another local_rules.xml question
Next by Date: [ossec-list] Re: IIS rule to alert on blank cs-host
Previous by thread: [ossec-list] another local_rules.xml question
Next by thread: [ossec-list] Ossec Windows Agent and NIC Teaming
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.