A workaround would be to create 2 rules, one with hostname=host1, one with hostname=host2. But if anyone has any idea how to do it "properly", I'd like to know.
On Fri, Mar 5, 2010 at 7:47 PM, Jefferson, Shawn < shawn.jeffer...@bcferries.com> wrote: > Thanks, that helps! > > > > I guess I still have the issue that <hostname>snort01|snort02</hostname> is > not working for the second hostname (ie. alerts are being fired still.) > > > ------------------------------ > > *From:* ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] *On > Behalf Of *oscar schneider > *Sent:* Friday, March 05, 2010 4:54 AM > > *To:* ossec-list@googlegroups.com > *Subject:* Re: [ossec-list] Local Rules Syntax > > > > No what he is trying to say is that you do not push the rules to the > agents, only configs. This is because the rules are not needed by the > agents. The rules are only used by the ossec-analysisd, which doesnt run on > agents, but on the server only. > > The ossec.conf and agent.conf are also read by agent side daemons, e.g. > syscheck and logcollector. > > On the agent side, for log analysis only the following things happen: > 1. ossec-logcollector reads ossec.conf and agent.conf. From there it > extracts the locations of files it needs to monitor. > 2. Every time one of these logfiles get a new log entry, logcollector will > notice and write it to a socket. > 3. ossec-agentd forwards the contents of that socket to the server. > > The server will do the following: > 1. ossec-analysisd reads decoder.xml and all rule files as specified in > ossec.conf > 2. When remoted receives a message from an agent, it forwards that message > to analysisd > 3. Analysisd runs predecoder (hard coded afaik), the appropriate decoder > (as defined in decoder.xml) and then starts rule matching, i.e. compares the > output of the decoding phase with the rules. Analysisd maybe has to consider > a rule chain, e.g. if a decoded message matches rule 1000, rule 1001 has > <if_sid>1000</if_sid> and matches also then 1001 would be returned instead > of stopping at 1000. > 4. After determining the final rule that is matches, an alert is generated. > If specified by the rules options and alert level e.g. an active response or > email notification. > > As you can see, the rules are not pushed. They are not necessary on the > agent side at all. > > Changing the local_rules.xml at the server and restarting the server should > suffice. > > On Thu, Mar 4, 2010 at 11:42 PM, Jefferson, Shawn < > shawn.jeffer...@bcferries.com> wrote: > > Are you saying that you cannot put rules into the local_rules.xml file on > the manager and have them applied to agents? I thought I had seen a mailing > list post that you could do that. > > As described above, the rules are not needed for the agent. > > > > So what I need to do is make a change to the local_rules.xml file on each > agent where I want to ignore this event? > > > No > > > > > Thanks, > > Shawn > > > ------------------------------ > > *From:* ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] *On > Behalf Of *Wim Remes > *Sent:* Thursday, March 04, 2010 11:03 AM > > > *To:* ossec-list@googlegroups.com > *Subject:* Re: [ossec-list] Local Rules Syntax > > > > Hi, > > > > you don't push out rules, you push out config files, as specified here : > > http://www.ossec.net/main/manual/centralized-config/ > > > > here you can specify configurations as follows : > > <agent_config name=”agent1|agent2″> > <localfile> > <location>/var/log/my.log</location> > <log_format>syslog</log_format> > </localfile> > </agent_config> > > > > the <hostname>host1|host2</hostname> should work on the event coming from > either of both hosts. > > > > Kind Regards, > > > > Wim > > On 04 Mar 2010, at 18:06, Jefferson, Shawn wrote: > > > > Hi, > > > > I have tried this, but unfortunately it doesn’t seem to work for the > “snort02” hostname (ie. I still get alerts from that machine, but not from > the snort01. > > > > Thanks, > > Shawn > > > ------------------------------ > > *From:* ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] *On > Behalf Of *oscar schneider > *Sent:* Wednesday, March 03, 2010 4:35 AM > *To:* ossec-list@googlegroups.com > *Subject:* Re: [ossec-list] Local Rules Syntax > > > > Hey, > > not sure at the moment but I think it should be > > <hostname>snort01|snort02</hostname> > > instead. > > Kind regards, > > oscar > > On Tue, Mar 2, 2010 at 6:55 PM, Jefferson, Shawn < > shawn.jeffer...@bcferries.com> wrote: > > Hi, > > > > I’m putting some local rules into the local_rules.xml file on the manager > (from what I’ve read you can put them here to push out to your agents?) > > > > Can you use a comma separated list in <hostname> like so ? > > > > <group name="local,snort"> > > <rule id="100100" level="0" noalert="1"> > > <if_sid>20100</if_sid> > > <hostname>snort01, snort02</hostname> > > <description>Ignoring snort events</description> > > </rule> > > </group> > > > > Or should you use a regex? > > > > Thanks, > > Shawn > > > > > > > > >