Sorry about that, it is just a simple typo. I didn't want to copy&paste the actual rule, as it had some semi-private information in it. I copied and pasted my actual rule 100005 to a test rule 100007, so please just ignore that. Here is the actual updated test rule I'm trying:
<rule id="100007" level="0"> <if_sid>1002</if_sid> <hostname>testserver</hostname> <program_name>mip</program_name> <regex>HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP segment frame</regex> <description>Ignore MIP Alerts</description> </rule> Here is the current log entry I'm testing: Nov 13 16:07:17 testserver mip: : HAEngine : WARNING : 2 : Replay protection check failed And here is the current results: **Phase 1: Completed pre-decoding. full event: 'Nov 13 16:07:17 testserver mip: : HAEngine : WARNING : 2 : Replay protection check failed' hostname: 'testserver' program_name: 'mip' log: ' : HAEngine : WARNING : 2 : Replay protection check failed' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '100007' Level: '0' Description: 'Ignore MIP Alerts' However, the email alerts are still coming in. I'm trying to start some of this up in debug mode, so I can gather further information. On Fri, Nov 13, 2015 at 11:27 AM, dan (ddp) <ddp...@gmail.com> wrote: > On Fri, Nov 13, 2015 at 11:16 AM, Pedro S. <snao...@gmail.com> wrote: > > My confusion was the rule he wrote here has SID 100005 and the logtest > > result has SID 100007, sorry about that. > > > > You're right, I totally missed that. Now I'm wondering what 100007 is. > > > Still i'll try to create a generic rule to make sure OSSEC is loading new > > rules. > > > > Anyways if Dan already has tested it, the rule is working, it should be > your > > OSSEC is not loading the rule properly. > > > > > > El viernes, 13 de noviembre de 2015, 8:04:05 (UTC-8), dan (ddpbsd) > escribió: > >> > >> On Fri, Nov 13, 2015 at 10:59 AM, Pedro S. <sna...@gmail.com> wrote: > >> > Hi Daniel, > >> > > >> > The alerts you changed to level 0 it isn't the same that you write > some > >> > lines before, isn't it? > >> > You turn to 0 rule SID 100005 but the alert you show us has SID 1002. > >> > > >> > >> The log message used in the ossec-logtest example matches the log > >> message that is in the alert. The problem is that ossec-logtest shows > >> that the log message should match rule 100005, but ossec-analysisd is > >> matching the log message to 1002. > >> > >> > >> > For testing purposes try to deactivate (change to level 0) rule 1002 > and > >> > check if it is still generating these alerts. > >> > > >> > >> Don't do this. There's no reason to change that to 0. Even for > >> testing. I've been using OSSEC for a little while now, and I don't > >> think that would have ever helped with anything. > >> > >> > > >> > > >> > > >> > > >> > El viernes, 13 de noviembre de 2015, 7:44:37 (UTC-8), Daniel Bray > >> > escribió: > >> >> > >> >> On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray wrote: > >> >>>> > >> >>>> I'm waiting to see if it generates an alert. > >> >>> > >> >>> > >> >> > >> >> > >> >> Nope, issue remains. Very confusing. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/uXdwCE64oRU/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.