Hi Daniel,
you are right, I forgot to add a regex to the rule. It could be something
like:
<group name="ignore,">
<!--
Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba
entered promiscuous mode
-->
<rule id="100001" level="0">
<if_sid>5104</if_sid>
<regex>device veth\S+ entered promiscuous mode</regex>
<description>Ignore rule 5104 for weave.</description>
</rule>
</group>
Adapt the regex to the logs generated by weave. Also, you can use *<match>*.
Let me know if it works ;).
Regards.
On Wednesday, January 18, 2017 at 6:11:38 PM UTC+1, Daniel B. wrote:
>
> Jesus, thanks for the response. I'm aware of ossec-logtest always showing
> the name of the parent (which confused me until I RTFM). Using
> `ossec-logtest -v` I was able to verify that the decoder was not being hit
> as the rule for that was not being caught.
>
> I did consider inserting an entry into local_rules.xml, but that would
> ignore *all *alerts with sid 5104 (and not just the ones raised by
> weave). I suppose it's better than digging through 10 pages of false
> positives, but I'd like to be able to filter out entries using a regex like
> "\w+ device veth\w+ entered promiscuous mode$" -- but the rules files can't
> use the OS_Regex synatx (can only use OS_Match, which is much simpler).
>
> Any options other than filtering out all entries with rule ID 5104?
>
> I *feel* like I should be able to override the iptables decoder... but
> maybe that's me being optimistic.
>
> On Wednesday, January 18, 2017 at 5:00:47 AM UTC-5, Jesus Linares wrote:
>>
>> Hi Daniel,
>>
>> ossec-logtest always shows the name of the parent.
>>
>> If you want to ignore that alert, just create a rule in local_rules.xml:
>>
>> <group name="ignore,">
>>
>>
>> <!--
>> Jan 16 20:46:57 machine_name kernel: [347956.184868] device
>> veth9c8da7ba entered promiscuous mode
>> -->
>> <rule id="100001" level="0">
>> <if_sid>5104</if_sid>
>> <description>Ignore rule 5104.</description>
>> </rule>
>>
>>
>> </group>
>>
>> Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba
>> entered promiscuous mode
>>
>>
>>
>>
>> **Phase 1: Completed pre-decoding.
>> full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868]
>> device veth9c8da7ba entered promiscuous mode'
>> hostname: 'machine_name'
>> program_name: 'kernel'
>> log: '[347956.184868] device veth9c8da7ba entered promiscuous
>> mode'
>>
>>
>> **Phase 2: Completed decoding.
>> decoder: 'kernel'
>>
>>
>> **Phase 3: Completed filtering (rules).
>> Rule id: '100001'
>> Level: '0'
>> Description: 'Ignore rule 5104.'
>>
>> (I changed the name of the decoder from iptables to kernel).
>>
>> I hope it helps.
>>
>> On Tuesday, January 17, 2017 at 8:58:28 PM UTC+1, Daniel B. wrote:
>>>
>>> We use weave which periodically causes a network interface to enter
>>> promiscuous mode to sniff network traffic. This is expected behavior, and
>>> as such, I'm looking to ignore it.
>>>
>>> For reference, the iptables decoder is set at
>>> https://github.com/ossec/ossec-hids/blob/592d681ea07f9a8bf2bedb039ee9493e6fbe3c26/etc/decoder.xml#L1135
>>>
>>> The log line I'm attempting to ignore looks like:
>>> Jan 16 20:46:57 machine_name kernel: [347956.184868] device
>>> veth9c8da7ba entered promiscuous mode
>>>
>>> Now, this is inserted into my local_decoder.xml file (with an
>>> appropriate local rule):
>>>
>>>
>>> <decoder name="iptables_noweave">
>>> <parent>iptables</parent>
>>> <prematch offset="after_parent">device (veth\w+) entered promiscuous
>>> mode</prematch>
>>> <program_name>kernel</program_name>
>>> <regex offset="after_prematch"></regex>
>>> <order>extra_data</order>
>>> </decoder>
>>>
>>>
>>> I've tried a lot of different variations on the above, including getting
>>> rid of the parent and prematch offsets (while temporarily deleting the
>>> original / parent iptables rule in
>>> etc/ossec_decoders/kernel-iptables_apparmor_decoders.xml
>>>
>>>
>>> Each time I run the log through ./ossec-logtest, it matches to the
>>> parent decoder, and as such an alert is fired.
>>>
>>> **Phase 1: Completed pre-decoding.
>>> full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868]
>>> device veth9c8da7ba entered promiscuous mode'
>>> hostname: 'machine_name'
>>> program_name: 'kernel'
>>> log: '[347956.184868] device veth9c8da7ba entered promiscuous
>>> mode'
>>>
>>> **Phase 2: Completed decoding.
>>> decoder: 'iptables'
>>>
>>> **Phase 3: Completed filtering (rules).
>>> Rule id: '5104'
>>> Level: '8'
>>> Description: 'Interface entered in promiscuous(sniffing) mode.'
>>> **Alert to be generated.
>>>
>>>
>>> Is there a way I can override the iptables decoder for this one specific
>>> log message?
>>>
>>> Any help is appreciated, thanks!
>>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
