• Support
  • Forums
  • Blogs

5.4 update breaks OSSEC-HIDS

apktorryapktorry

Little green alien
+6
I have noticed that any OSSEC rule that contains a $ or \$ in a REGEX causes the OSSEC server to fail to start:-

This rule disables events for WINDOWS NETWORK LOGON for MACHINE accounts (ie. account name ends in $)

    <rule id="970004" level="0" overwrite="no">
      <if_sid>700003</if_sid>
      <regex>Security-Auditing:\s+\S+\$:</regex>
      <description>Ignore Windows machine logon messages.</description>
      <group>authentication_success,</group>
    </rule>
    <rule id="902002" level="0" overwrite="no">
      <description>Ignore Windows machine logoff messages.</description>
      <if_sid>102002</if_sid>
      <group>authentication_success,</group>
      <regex>User Name:\s+\S+\$\s+|Account Name:\s+\S+\$\s+\.*Logon Type:\s+3\s+|Logon Type:\s+3\.*Account Name:\s+\S+\$\s+|Account Name:\s+DWM-\d+\s+|Account Name:\s+SYSTEM\s+</regex>
    </rule>
    <rule id="102003" level="0" overwrite="yes">
      <if_sid>18104</if_sid>
      <id>^540$</id>
      <description>Ignore Windows machine logon messages.</description>
      <group>authentication_success,</group>
    </rule>

This will break OSSEC after the 5.4 update. It was working perfectly in 5.3

Please FIX it!

Share post:

Comments

  • I am fully aware of the 'old' bug in OSSEC that caused an issue but since my local_rules.xml file wa working in 5.3 without any issues but now not in 5.4.

    I assume it is a bug in OSSIM deployment/use of OSSEC itself.

    If local_rules.xml contains:-

        <rule id="970004" level="0" overwrite="no">
          <if_sid>700003</if_sid>
          <regex>Security-Auditing:\s+\S+\$:</regex>
          <description>Ignore Windows machine logon messages.</description>
          <group>authentication_success,</group>
        </rule>

    I get:-

    alienvault:~# /var/ossec/bin/ossec-logtest
    2017/06/29 15:58:34 ossec-testrule: INFO: Reading decoder file alienvault/decoders/local_decoder.xml.
    2017/06/29 15:58:34 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
    2017/06/29 15:58:34 ossec-analysisd(1227): ERROR: Error applying XML variables 'alienvault/rules/local_rules.xml': XMLERR: Unknown variable: ':'..
    2017/06/29 15:58:34 ossec-testrule(1220): ERROR: Error loading the rules: 'alienvault/rules/local_rules.xml'.

    But if I change the REGEX to:-

          <regex>Security-Auditing:\s+\S+:</regex>

    It works but the rule does not DO what it is supposed to DO.


  • I have problem like that. After update OSSIM to 5.4. HIDS can't start. Please guide me or fix it now:

    Logs show: 
    Error applying XML variables 'alienvault/rules/alienvault-windows-account-security_rules.xml': XMLERR: Unknown variable: '\'..
    2017/06/30 07:47:35 testrule(1220): ERROR: Error loading the rules: 'alienvault/rules/alienvault-windows-account-security_rules.xml'.

  • Hello

    I had the same problem with "local_rules.xml".  I checked that this rule was in /var/ossec/alienvault/rules and had 0 bytes, so I found the same rule in /var/ossec/rules, so I copied it from one folder to another one and it worked,
Sign In or Register to comment.