[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: My own rules

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: My own rules
From: Dan <securitydan@xxxxxxxxx>
Date: Wed, 19 Sep 2007 10:58:41 +0200
Authentication-results: mx.google.com; spf=pass (google.com: domain of securitydan@xxxxxxxxx designates 64.233.182.191 as permitted sender) smtp.mail=securitydan@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; bh=6m1rqz8CjPUG05IAtetUN221rdBGk85urYdGiPEeApQ=; b=aSKIWDnoiXWt5xKj8InT4lXmLNNjlJuuLF7ZES2ltVfuPAAvXVom5Vo6V7DO6nnu4fV/kaYl6vfDNfrbgh1f8lVIu3smYlvcQOGvcCSlJH42MgRCV8d3LUxtxS1YsUP1k2zvMAgEx8wbmmVVVTbgN9cU+CdPkKHZQW6azQ9vpNg=

Hi

Thanks for your help.
I was able to make my own rules. But with some of them i have a  
problem :-(
I have a application which reports to syslog and i need to match some  
of these messages. But there is everytime the rule id 1002 triggering  
(syslog with $badwords)!

I did in the local_rules.xml a new group <group  
name="syslog,errors,"> and entered my rules.
For example:
<rule id="100010" level="0">
	<regex>kernelgrsec:|</regex>
	<description>xxx</description>
</rule>
<rule id="100011" level="7">
	<if_sid>100010</if_sid>
	<match>^failure</match>
	<description>xxx</description>
</rule>

The first rule won't generate an alert, but the second one should.  
But there always triggers the rule 1002. What error is in my filters?

Thanks for your help.

Regards,
Dan

Am 19.09.2007 um 03:18 schrieb Daniel Cid:

>
> Hi Daniel,
>
> Regarding how to write the rules, the following documents can help:
>
> http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
> http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 9/18/07, Peter M. Abraham <peter.m.abraham@xxxxxxxxx> wrote:
>>
>> Greetings Daniel:
>>
>> Custom rules can be placed in /var/ossec/rules/local_rules.xml
>>
>> Thank you.
>>
>>

References:
- [ossec-list] My own rules
  - From: Dan
- [ossec-list] Re: My own rules
  - From: Peter M. Abraham
- [ossec-list] Re: My own rules
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: Seeking help with custom rule
Next by Date: [ossec-list] Re: My own rules
Previous by thread: [ossec-list] Re: My own rules
Next by thread: [ossec-list] Re: My own rules
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.