Hi, Can you post the alert you are trying to ignore? Your hostname syntax is correct and should have worked.
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Mar 5, 2010 at 2:47 PM, Jefferson, Shawn <shawn.jeffer...@bcferries.com> wrote: > Thanks, that helps! > > > > I guess I still have the issue that <hostname>snort01|snort02</hostname> is > not working for the second hostname (ie. alerts are being fired still.) > > > > ________________________________ > > From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On > Behalf Of oscar schneider > Sent: Friday, March 05, 2010 4:54 AM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] Local Rules Syntax > > > > No what he is trying to say is that you do not push the rules to the agents, > only configs. This is because the rules are not needed by the agents. The > rules are only used by the ossec-analysisd, which doesnt run on agents, but > on the server only. > > The ossec.conf and agent.conf are also read by agent side daemons, e.g. > syscheck and logcollector. > > On the agent side, for log analysis only the following things happen: > 1. ossec-logcollector reads ossec.conf and agent.conf. From there it > extracts the locations of files it needs to monitor. > 2. Every time one of these logfiles get a new log entry, logcollector will > notice and write it to a socket. > 3. ossec-agentd forwards the contents of that socket to the server. > > The server will do the following: > 1. ossec-analysisd reads decoder.xml and all rule files as specified in > ossec.conf > 2. When remoted receives a message from an agent, it forwards that message > to analysisd > 3. Analysisd runs predecoder (hard coded afaik), the appropriate decoder (as > defined in decoder.xml) and then starts rule matching, i.e. compares the > output of the decoding phase with the rules. Analysisd maybe has to consider > a rule chain, e.g. if a decoded message matches rule 1000, rule 1001 has > <if_sid>1000</if_sid> and matches also then 1001 would be returned instead > of stopping at 1000. > 4. After determining the final rule that is matches, an alert is generated. > If specified by the rules options and alert level e.g. an active response or > email notification. > > As you can see, the rules are not pushed. They are not necessary on the > agent side at all. > > Changing the local_rules.xml at the server and restarting the server should > suffice. > > On Thu, Mar 4, 2010 at 11:42 PM, Jefferson, Shawn > <shawn.jeffer...@bcferries.com> wrote: > > Are you saying that you cannot put rules into the local_rules.xml file on > the manager and have them applied to agents? I thought I had seen a mailing > list post that you could do that. > > As described above, the rules are not needed for the agent. > > > > So what I need to do is make a change to the local_rules.xml file on each > agent where I want to ignore this event? > > No > > > > > Thanks, > > Shawn > > > > ________________________________ > > From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On > Behalf Of Wim Remes > Sent: Thursday, March 04, 2010 11:03 AM > > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] Local Rules Syntax > > > > Hi, > > > > you don't push out rules, you push out config files, as specified here : > > http://www.ossec.net/main/manual/centralized-config/ > > > > here you can specify configurations as follows : > > <agent_config name=”agent1|agent2″> > <localfile> > <location>/var/log/my.log</location> > <log_format>syslog</log_format> > </localfile> > </agent_config> > > > > the <hostname>host1|host2</hostname> should work on the event coming from > either of both hosts. > > > > Kind Regards, > > > > Wim > > On 04 Mar 2010, at 18:06, Jefferson, Shawn wrote: > > > > Hi, > > > > I have tried this, but unfortunately it doesn’t seem to work for the > “snort02” hostname (ie. I still get alerts from that machine, but not from > the snort01. > > > > Thanks, > > Shawn > > > > ________________________________ > > From: ossec-l...@googlegroups.com [mailto:ossec-l...@googlegroups.com] on > Behalf Of oscar schneider > Sent: Wednesday, March 03, 2010 4:35 AM > To: ossec-l...@googlegroups.com > Subject: Re: [ossec-list] Local Rules Syntax > > > > Hey, > > not sure at the moment but I think it should be > > <hostname>snort01|snort02</hostname> > > instead. > > Kind regards, > > oscar > > On Tue, Mar 2, 2010 at 6:55 PM, Jefferson, Shawn > <shawn.jeffer...@bcferries.com> wrote: > > Hi, > > > > I’m putting some local rules into the local_rules.xml file on the manager > (from what I’ve read you can put them here to push out to your agents?) > > > > Can you use a comma separated list in <hostname> like so ? > > > > <group name="local,snort"> > > <rule id="100100" level="0" noalert="1"> > > <if_sid>20100</if_sid> > > <hostname>snort01, snort02</hostname> > > <description>Ignoring snort events</description> > > </rule> > > </group> > > > > Or should you use a regex? > > > > Thanks, > > Shawn > > > > > > > >