subject:"\[ossec\-list\] Can't filter rule by IP"

RE: [ossec-list] Can't filter rule by IP

2016-02-19 Thread lostinthetubez

It is also worth noting that you may possibly be misunderstanding how  
works. Match operates off of literal matches within the contents of the log, 
not the metadata of where the log came from. So if the string “ip_address” 
doesn’t appear in the Windows error event log, there isn’t going to be a match 
against any of your rules. You may or may not have better luck using 
, if the intent is to filter by the origin of the log information.

It is also bad to filter by an aggregate rule, like 18154. Your second method, 
using SID 1803 is more desirable (bearing in mind the issues noted by Jesus and 
the issue noted above). The reason for this is there is no guarantee that all 
of the log entries in the 18154 alert actually come from the same agent.  If 
lots of your servers are under attack and they all start throwing errors, one 
match on the IP address in a 18154 alert may filter out errors that have been 
grouped together from several machines. You should generally avoid filtering by 
alerts that say “multiple things happened” to avoid false negatives.

You might try something along the lines of this. I’d recommend including a 
 tag to filter out the particular error messages you think are too 
noisy, as there can be some valuable information in Windows error logs.

  18103

  whatever  

  Filter out all error events from host whatever

From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
Behalf Of Jesus Linares
Sent: Friday, February 19, 2016 6:17 AM
To: ossec-list <ossec-list@googlegroups.com>
Subject: Re: [ossec-list] Can't filter rule by IP

Hi, I agree with Dan. Anyway, why are you using "composite rules", I mean with 
timeframe, frequency, etc. If you want to ignore some hosts you should use 
if_sid instead of if_matched_sid.

Regards.

Jesus Linares.

On Thursday, February 18, 2016 at 11:49:12 PM UTC+1, dan (ddpbsd) wrote:

On Feb 18, 2016 5:44 PM, "Jane Doe" <hadon...@gmail.com  > wrote:
>
> Hey guys! 
>
> I'm trying to filter rule 18154 by not sending email alerts for certain 
> hosts. I've tried several ways to filter this in the local_rules.xml file.
>
> 1) 
>
> 6  
>
> 
>   
> 18103
>  ip_address//I've also replaced this with srcip
>  ip_address//I've also replaced this with srcip
>  no_email_alerts
> Multiple Windows error events.
>   
> 
>
> 2) I've created my own rule
>
> 6  
>
> 
>   
> 18103
>  ip_address//I've also replaced this with srcip
>  ip_address//I've also replaced this with srcip
> Multiple Windows error events.
>   
> 
>
> 3) 
>
> 
>   
> 18154
>  ip_address//I've also replaced this with srcip
>  ip_address//I've also replaced this with srcip
> Multiple Windows error events.
>   
> 
>
>
> Does the group name matter? Do I need to decode srcip? I have the general 
> idea on how to filter rules in general for all hosts, but I can't seem to get 
> it to work for specific hosts.
>

I think multiple matches not separated by a "|" will be ANDed together. Try it 
with 1 match option. 
Also, providing a log sample helps us test, and makes helping a lot easier.

> Thanks!
>
> -- 
>
> --- 
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com  .
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com 
<mailto:ossec-list+unsubscr...@googlegroups.com> .
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Can't filter rule by IP

2016-02-19 Thread Jesus Linares

Hi, I agree with Dan. Anyway, why are you using "composite rules", I mean 
with *timeframe*, *frequency*, etc. If you want to ignore some hosts you 
should use *if_sid *instead of *if_matched_sid*.

Regards.
Jesus Linares.

On Thursday, February 18, 2016 at 11:49:12 PM UTC+1, dan (ddpbsd) wrote:
>
>
> On Feb 18, 2016 5:44 PM, "Jane Doe"  
> wrote:
> >
> > Hey guys! 
> >
> > I'm trying to filter rule 18154 by not sending email alerts for certain 
> hosts. I've tried several ways to filter this in the local_rules.xml file.
> >
> > 1) 
> >
> > 6  
> >
> > 
> >   
> > 18103
> >  ip_address//I've also replaced this with srcip
> >  ip_address//I've also replaced this with srcip
> >  no_email_alerts
> > Multiple Windows error events.
> >   
> > 
> >
> > 2) I've created my own rule
> >
> > 6  
> >
> > 
> >   
> > 18103
> >  ip_address//I've also replaced this with srcip
> >  ip_address//I've also replaced this with srcip
> > Multiple Windows error events.
> >   
> > 
> >
> > 3) 
> >
> > 
> >   
> > 18154
> >  ip_address//I've also replaced this with srcip
> >  ip_address//I've also replaced this with srcip
> > Multiple Windows error events.
> >   
> > 
> >
> >
> > Does the group name matter? Do I need to decode srcip? I have the 
> general idea on how to filter rules in general for all hosts, but I can't 
> seem to get it to work for specific hosts.
> >
>
> I think multiple matches not separated by a "|" will be ANDed together. 
> Try it with 1 match option. 
> Also, providing a log sample helps us test, and makes helping a lot easier.
>
> > Thanks!
> >
> > -- 
> >
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Can't filter rule by IP

2016-02-18 Thread dan (ddp)

On Feb 18, 2016 5:44 PM, "Jane Doe"  wrote:
>
> Hey guys!
>
> I'm trying to filter rule 18154 by not sending email alerts for certain
hosts. I've tried several ways to filter this in the local_rules.xml file.
>
> 1)
>
> 6
>
> 
>   
> 18103
>  ip_address//I've also replaced this with srcip
>  ip_address//I've also replaced this with srcip
>  no_email_alerts
> Multiple Windows error events.
>   
> 
>
> 2) I've created my own rule
>
> 6
>
> 
>   
> 18103
>  ip_address//I've also replaced this with srcip
>  ip_address//I've also replaced this with srcip
> Multiple Windows error events.
>   
> 
>
> 3)
>
> 
>   
> 18154
>  ip_address//I've also replaced this with srcip
>  ip_address//I've also replaced this with srcip
> Multiple Windows error events.
>   
> 
>
>
> Does the group name matter? Do I need to decode srcip? I have the general
idea on how to filter rules in general for all hosts, but I can't seem to
get it to work for specific hosts.
>

I think multiple matches not separated by a "|" will be ANDed together. Try
it with 1 match option.
Also, providing a log sample helps us test, and makes helping a lot easier.

> Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Can't filter rule by IP

2016-02-18 Thread Jane Doe

Hey guys! 

I'm trying to filter rule 18154 by not sending email alerts for certain 
hosts. I've tried several ways to filter this in the local_rules.xml file.

*1) *

6  


  
18103
 *ip_address*//I've also replaced this with srcip
 *ip_address*//I've also replaced this with srcip
 no_email_alerts
Multiple Windows error events.
  


*2)* I've created my own rule

6  


  
18103
 *ip_address*//I've also replaced this with srcip
 *ip_address*//I've also replaced this with srcip
Multiple Windows error events.
  


*3) *


  
18154
 *ip_address*//I've also replaced this with srcip
 *ip_address*//I've also replaced this with srcip
Multiple Windows error events.
  



Does the group name matter? Do I need to decode srcip? I have the general 
idea on how to filter rules in general for all hosts, but I can't seem to 
get it to work for specific hosts.

Thanks!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

RE: [ossec-list] Can't filter rule by IP

Re: [ossec-list] Can't filter rule by IP

Re: [ossec-list] Can't filter rule by IP

[ossec-list] Can't filter rule by IP

4 matches

Site Navigation

Mail list logo

Footer information