Hi Daniel, you are right, I forgot to add a regex to the rule. It could be something like:
<group name="ignore,"> <!-- Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba entered promiscuous mode --> <rule id="100001" level="0"> <if_sid>5104</if_sid> <regex>device veth\S+ entered promiscuous mode</regex> <description>Ignore rule 5104 for weave.</description> </rule> </group> Adapt the regex to the logs generated by weave. Also, you can use *<match>*. Let me know if it works ;). Regards. On Wednesday, January 18, 2017 at 6:11:38 PM UTC+1, Daniel B. wrote: > > Jesus, thanks for the response. I'm aware of ossec-logtest always showing > the name of the parent (which confused me until I RTFM). Using > `ossec-logtest -v` I was able to verify that the decoder was not being hit > as the rule for that was not being caught. > > I did consider inserting an entry into local_rules.xml, but that would > ignore *all *alerts with sid 5104 (and not just the ones raised by > weave). I suppose it's better than digging through 10 pages of false > positives, but I'd like to be able to filter out entries using a regex like > "\w+ device veth\w+ entered promiscuous mode$" -- but the rules files can't > use the OS_Regex synatx (can only use OS_Match, which is much simpler). > > Any options other than filtering out all entries with rule ID 5104? > > I *feel* like I should be able to override the iptables decoder... but > maybe that's me being optimistic. > > On Wednesday, January 18, 2017 at 5:00:47 AM UTC-5, Jesus Linares wrote: >> >> Hi Daniel, >> >> ossec-logtest always shows the name of the parent. >> >> If you want to ignore that alert, just create a rule in local_rules.xml: >> >> <group name="ignore,"> >> >> >> <!-- >> Jan 16 20:46:57 machine_name kernel: [347956.184868] device >> veth9c8da7ba entered promiscuous mode >> --> >> <rule id="100001" level="0"> >> <if_sid>5104</if_sid> >> <description>Ignore rule 5104.</description> >> </rule> >> >> >> </group> >> >> Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba >> entered promiscuous mode >> >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868] >> device veth9c8da7ba entered promiscuous mode' >> hostname: 'machine_name' >> program_name: 'kernel' >> log: '[347956.184868] device veth9c8da7ba entered promiscuous >> mode' >> >> >> **Phase 2: Completed decoding. >> decoder: 'kernel' >> >> >> **Phase 3: Completed filtering (rules). >> Rule id: '100001' >> Level: '0' >> Description: 'Ignore rule 5104.' >> >> (I changed the name of the decoder from iptables to kernel). >> >> I hope it helps. >> >> On Tuesday, January 17, 2017 at 8:58:28 PM UTC+1, Daniel B. wrote: >>> >>> We use weave which periodically causes a network interface to enter >>> promiscuous mode to sniff network traffic. This is expected behavior, and >>> as such, I'm looking to ignore it. >>> >>> For reference, the iptables decoder is set at >>> https://github.com/ossec/ossec-hids/blob/592d681ea07f9a8bf2bedb039ee9493e6fbe3c26/etc/decoder.xml#L1135 >>> >>> The log line I'm attempting to ignore looks like: >>> Jan 16 20:46:57 machine_name kernel: [347956.184868] device >>> veth9c8da7ba entered promiscuous mode >>> >>> Now, this is inserted into my local_decoder.xml file (with an >>> appropriate local rule): >>> >>> >>> <decoder name="iptables_noweave"> >>> <parent>iptables</parent> >>> <prematch offset="after_parent">device (veth\w+) entered promiscuous >>> mode</prematch> >>> <program_name>kernel</program_name> >>> <regex offset="after_prematch"></regex> >>> <order>extra_data</order> >>> </decoder> >>> >>> >>> I've tried a lot of different variations on the above, including getting >>> rid of the parent and prematch offsets (while temporarily deleting the >>> original / parent iptables rule in >>> etc/ossec_decoders/kernel-iptables_apparmor_decoders.xml >>> >>> >>> Each time I run the log through ./ossec-logtest, it matches to the >>> parent decoder, and as such an alert is fired. >>> >>> **Phase 1: Completed pre-decoding. >>> full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868] >>> device veth9c8da7ba entered promiscuous mode' >>> hostname: 'machine_name' >>> program_name: 'kernel' >>> log: '[347956.184868] device veth9c8da7ba entered promiscuous >>> mode' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'iptables' >>> >>> **Phase 3: Completed filtering (rules). >>> Rule id: '5104' >>> Level: '8' >>> Description: 'Interface entered in promiscuous(sniffing) mode.' >>> **Alert to be generated. >>> >>> >>> Is there a way I can override the iptables decoder for this one specific >>> log message? >>> >>> Any help is appreciated, thanks! >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.