It is also worth noting that you may possibly be misunderstanding how <match> works. Match operates off of literal matches within the contents of the log, not the metadata of where the log came from. So if the string “ip_address” doesn’t appear in the Windows error event log, there isn’t going to be a match against any of your rules. You may or may not have better luck using <hostname>, if the intent is to filter by the origin of the log information.
It is also bad to filter by an aggregate rule, like 18154. Your second method, using SID 1803 is more desirable (bearing in mind the issues noted by Jesus and the issue noted above). The reason for this is there is no guarantee that all of the log entries in the 18154 alert actually come from the same agent. If lots of your servers are under attack and they all start throwing errors, one match on the IP address in a 18154 alert may filter out errors that have been grouped together from several machines. You should generally avoid filtering by alerts that say “multiple things happened” to avoid false negatives. You might try something along the lines of this. I’d recommend including a <match> tag to filter out the particular error messages you think are too noisy, as there can be some valuable information in Windows error logs. <rule id="100000" level="0"> <if_sid>18103</if_sid> <hostname>whatever</hostname> <description>Filter out all error events from host whatever</description> </rule> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Jesus Linares Sent: Friday, February 19, 2016 6:17 AM To: ossec-list <ossec-list@googlegroups.com> Subject: Re: [ossec-list] Can't filter rule by IP Hi, I agree with Dan. Anyway, why are you using "composite rules", I mean with timeframe, frequency, etc. If you want to ignore some hosts you should use if_sid instead of if_matched_sid. Regards. Jesus Linares. On Thursday, February 18, 2016 at 11:49:12 PM UTC+1, dan (ddpbsd) wrote: On Feb 18, 2016 5:44 PM, "Jane Doe" <hadon...@gmail.com <javascript:> > wrote: > > Hey guys! > > I'm trying to filter rule 18154 by not sending email alerts for certain > hosts. I've tried several ways to filter this in the local_rules.xml file. > > 1) > > <var name="MS_FREQ">6</var> > > <group name="windows,"> > <rule id="18154" level="10" frequency="$MS_FREQ" timeframe="240"> > <if_matched_sid>18103</if_matched_sid> > <match>ip_address</match> //I've also replaced this with srcip > <match>ip_address</match> //I've also replaced this with srcip > <options>no_email_alerts</options> > <description>Multiple Windows error events.</description> > </rule> > </group> > > 2) I've created my own rule > > <var name="MS_FREQ">6</var> > > <group name="windows,"> > <rule id="100000" level="0" frequency="$MS_FREQ" timeframe="240"> > <if_matched_sid>18103</if_matched_sid> > <match>ip_address</match> //I've also replaced this with srcip > <match>ip_address</match> //I've also replaced this with srcip > <description>Multiple Windows error events.</description> > </rule> > </group> > > 3) > > <group name="windows,"> > <rule id="100000" level="0"> > <if_matched_sid>18154</if_matched_sid> > <match>ip_address</match> //I've also replaced this with srcip > <match>ip_address</match> //I've also replaced this with srcip > <description>Multiple Windows error events.</description> > </rule> > </group> > > > Does the group name matter? Do I need to decode srcip? I have the general > idea on how to filter rules in general for all hosts, but I can't seem to get > it to work for specific hosts. > I think multiple matches not separated by a "|" will be ANDed together. Try it with 1 match option. Also, providing a log sample helps us test, and makes helping a lot easier. > Thanks! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com <javascript:> . > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com <mailto:ossec-list+unsubscr...@googlegroups.com> . For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
