V
V
Vladimir Seregin2015-11-27 08:31:29
Information Security
Vladimir Seregin, 2015-11-27 08:31:29

Why can't overwrite the ossec rule?

Situation: I'm trying to overwrite the ossec rule (add it to the exceptions).
I write in local_rules.xml:

<rule id="5301" level="0" overwrite="yes">
   <if_sid>5300</if_sid>
   <match>authentication failure; |failed|BAD su|^-</match>
   <description>User missed the password to change UID (user id).</description> 
   <group>authentication_failed,</group>
</rule>

ossec-logtest says "ossec-analysisd: Overwrite rule '5301' not found."
When trying to write something like
<rule id="100008" level="0">
    <if_sid>5301</if_sid>
</rule>

ossec-logtest gives "Signature ID '5301' not found. Invalid 'if_sid'" when run.
At the same time, ossec refuses to start and writes in the log:
ossec-testrule(1220): ERROR: Error loading the rules: 'local_rules.xml'.
Rule '5301' is located in the syslog_rules.xml file, this file is included in ossec.conf. The local_rules.xml file is also included.
Both files are readable by the ossec user.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
V
Vladimir Seregin, 2015-11-27
@Heavis

Already found the answer (Long searched, maybe it will help someone):
You need to change the include sequence in the ossec.conf file:
To:

<rules>
    <include>local_rules.xml</include>
...
    <include>syslog_rules.xml</include>
  </rules>

After:
<rules>
    <include>syslog_rules.xml</include>
...
    <include>local_rules.xml</include>
  </rules>

That is, local_rules must be included after all other rules.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question