Thanks, that helps! I guess I still have the issue that <hostname>snort01|snort02</hostname> is not working for the second hostname (ie. alerts are being fired still.)
________________________________ From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of oscar schneider Sent: Friday, March 05, 2010 4:54 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Local Rules Syntax No what he is trying to say is that you do not push the rules to the agents, only configs. This is because the rules are not needed by the agents. The rules are only used by the ossec-analysisd, which doesnt run on agents, but on the server only. The ossec.conf and agent.conf are also read by agent side daemons, e.g. syscheck and logcollector. On the agent side, for log analysis only the following things happen: 1. ossec-logcollector reads ossec.conf and agent.conf. From there it extracts the locations of files it needs to monitor. 2. Every time one of these logfiles get a new log entry, logcollector will notice and write it to a socket. 3. ossec-agentd forwards the contents of that socket to the server. The server will do the following: 1. ossec-analysisd reads decoder.xml and all rule files as specified in ossec.conf 2. When remoted receives a message from an agent, it forwards that message to analysisd 3. Analysisd runs predecoder (hard coded afaik), the appropriate decoder (as defined in decoder.xml) and then starts rule matching, i.e. compares the output of the decoding phase with the rules. Analysisd maybe has to consider a rule chain, e.g. if a decoded message matches rule 1000, rule 1001 has <if_sid>1000</if_sid> and matches also then 1001 would be returned instead of stopping at 1000. 4. After determining the final rule that is matches, an alert is generated. If specified by the rules options and alert level e.g. an active response or email notification. As you can see, the rules are not pushed. They are not necessary on the agent side at all. Changing the local_rules.xml at the server and restarting the server should suffice. On Thu, Mar 4, 2010 at 11:42 PM, Jefferson, Shawn <shawn.jeffer...@bcferries.com<mailto:shawn.jeffer...@bcferries.com>> wrote: Are you saying that you cannot put rules into the local_rules.xml file on the manager and have them applied to agents? I thought I had seen a mailing list post that you could do that. As described above, the rules are not needed for the agent. So what I need to do is make a change to the local_rules.xml file on each agent where I want to ignore this event? No Thanks, Shawn ________________________________ From: ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com> [mailto:ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com>] On Behalf Of Wim Remes Sent: Thursday, March 04, 2010 11:03 AM To: ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com> Subject: Re: [ossec-list] Local Rules Syntax Hi, you don't push out rules, you push out config files, as specified here : http://www.ossec.net/main/manual/centralized-config/ here you can specify configurations as follows : <agent_config name=”agent1|agent2″> <localfile> <location>/var/log/my.log</location> <log_format>syslog</log_format> </localfile> </agent_config> the <hostname>host1|host2</hostname> should work on the event coming from either of both hosts. Kind Regards, Wim On 04 Mar 2010, at 18:06, Jefferson, Shawn wrote: Hi, I have tried this, but unfortunately it doesn’t seem to work for the “snort02” hostname (ie. I still get alerts from that machine, but not from the snort01. Thanks, Shawn ________________________________ From: ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com> [mailto:ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com>] On Behalf Of oscar schneider Sent: Wednesday, March 03, 2010 4:35 AM To: ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com> Subject: Re: [ossec-list] Local Rules Syntax Hey, not sure at the moment but I think it should be <hostname>snort01|snort02</hostname> instead. Kind regards, oscar On Tue, Mar 2, 2010 at 6:55 PM, Jefferson, Shawn <shawn.jeffer...@bcferries.com<mailto:shawn.jeffer...@bcferries.com>> wrote: Hi, I’m putting some local rules into the local_rules.xml file on the manager (from what I’ve read you can put them here to push out to your agents?) Can you use a comma separated list in <hostname> like so ? <group name="local,snort"> <rule id="100100" level="0" noalert="1"> <if_sid>20100</if_sid> <hostname>snort01, snort02</hostname> <description>Ignoring snort events</description> </rule> </group> Or should you use a regex? Thanks, Shawn
