I'm running ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic repo) I've updated /var/ossec/rules/local_rules.xml with the following rule:
<rule id="100005" level="0"> <if_sid>1002</if_sid> <hostname>testserver1|testserver2</hostname> <program_name>mip</program_name> <regex>HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP segment frame</regex> <description>Ignore MIP Alerts</description> </rule> I've tested the rule with: ossec-testrule: Type one log per line. Nov 12 13:48:50 testserver1 mip: : HAEngine : WARNING : 2 : Replay protection check failed **Phase 1: Completed pre-decoding. full event: 'Nov 12 13:48:50 testserver1 mip: : HAEngine : WARNING : 2 : Replay protection check failed ' hostname: 'testserver1' program_name: 'mip' log: ' : HAEngine : WARNING : 2 : Replay protection check failed ' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '100007' Level: '0' Description: 'Ignore MIP Alerts' I've restarted everything, but the servers are still generating alerts: OSSEC HIDS Notification. 2015 Nov 12 14:58:37 Received From: (testserver1) Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Nov 12 14:58:36 testserver1 mip: : HAEngine : WARNING : 2 : Replay protection check failed --END OF NOTIFICATION Can anybody shed some light on what's going on, or what I should try next? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.