[ossec-list] Re: local_decoder.xml -- can't override (ignore) parent decoder
Hi Daniel, you are right, I forgot to add a regex to the rule. It could be something like: 5104 device veth\S+ entered promiscuous mode Ignore rule 5104 for weave. Adapt the regex to the logs generated by weave. Also, you can use **. Let me know if it works ;). Regards. On Wednesday, January 18, 2017 at 6:11:38 PM UTC+1, Daniel B. wrote: > > Jesus, thanks for the response. I'm aware of ossec-logtest always showing > the name of the parent (which confused me until I RTFM). Using > `ossec-logtest -v` I was able to verify that the decoder was not being hit > as the rule for that was not being caught. > > I did consider inserting an entry into local_rules.xml, but that would > ignore *all *alerts with sid 5104 (and not just the ones raised by > weave). I suppose it's better than digging through 10 pages of false > positives, but I'd like to be able to filter out entries using a regex like > "\w+ device veth\w+ entered promiscuous mode$" -- but the rules files can't > use the OS_Regex synatx (can only use OS_Match, which is much simpler). > > Any options other than filtering out all entries with rule ID 5104? > > I *feel* like I should be able to override the iptables decoder... but > maybe that's me being optimistic. > > On Wednesday, January 18, 2017 at 5:00:47 AM UTC-5, Jesus Linares wrote: >> >> Hi Daniel, >> >> ossec-logtest always shows the name of the parent. >> >> If you want to ignore that alert, just create a rule in local_rules.xml: >> >> >> >> >> >> >> 5104 >> Ignore rule 5104. >> >> >> >> >> >> Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba >> entered promiscuous mode >> >> >> >> >> **Phase 1: Completed pre-decoding. >>full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868] >> device veth9c8da7ba entered promiscuous mode' >>hostname: 'machine_name' >>program_name: 'kernel' >>log: '[347956.184868] device veth9c8da7ba entered promiscuous >> mode' >> >> >> **Phase 2: Completed decoding. >>decoder: 'kernel' >> >> >> **Phase 3: Completed filtering (rules). >>Rule id: '11' >>Level: '0' >>Description: 'Ignore rule 5104.' >> >> (I changed the name of the decoder from iptables to kernel). >> >> I hope it helps. >> >> On Tuesday, January 17, 2017 at 8:58:28 PM UTC+1, Daniel B. wrote: >>> >>> We use weave which periodically causes a network interface to enter >>> promiscuous mode to sniff network traffic. This is expected behavior, and >>> as such, I'm looking to ignore it. >>> >>> For reference, the iptables decoder is set at >>> https://github.com/ossec/ossec-hids/blob/592d681ea07f9a8bf2bedb039ee9493e6fbe3c26/etc/decoder.xml#L1135 >>> >>> The log line I'm attempting to ignore looks like: >>> Jan 16 20:46:57 machine_name kernel: [347956.184868] device >>> veth9c8da7ba entered promiscuous mode >>> >>> Now, this is inserted into my local_decoder.xml file (with an >>> appropriate local rule): >>> >>> >>> >>> iptables >>> device (veth\w+) entered promiscuous >>> mode >>> kernel >>> >>> extra_data >>> >>> >>> >>> I've tried a lot of different variations on the above, including getting >>> rid of the parent and prematch offsets (while temporarily deleting the >>> original / parent iptables rule in >>> etc/ossec_decoders/kernel-iptables_apparmor_decoders.xml >>> >>> >>> Each time I run the log through ./ossec-logtest, it matches to the >>> parent decoder, and as such an alert is fired. >>> >>> **Phase 1: Completed pre-decoding. >>>full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868] >>> device veth9c8da7ba entered promiscuous mode' >>>hostname: 'machine_name' >>>program_name: 'kernel' >>>log: '[347956.184868] device veth9c8da7ba entered promiscuous >>> mode' >>> >>> **Phase 2: Completed decoding. >>>decoder: 'iptables' >>> >>> **Phase 3: Completed filtering (rules). >>>Rule id: '5104' >>>Level: '8' >>>Description: 'Interface entered in promiscuous(sniffing) mode.' >>> **Alert to be generated. >>> >>> >>> Is there a way I can override the iptables decoder for this one specific >>> log message? >>> >>> Any help is appreciated, thanks! >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: local_decoder.xml -- can't override (ignore) parent decoder
Jesus, thanks for the response. I'm aware of ossec-logtest always showing the name of the parent (which confused me until I RTFM). Using `ossec-logtest -v` I was able to verify that the decoder was not being hit as the rule for that was not being caught. I did consider inserting an entry into local_rules.xml, but that would ignore *all *alerts with sid 5104 (and not just the ones raised by weave). I suppose it's better than digging through 10 pages of false positives, but I'd like to be able to filter out entries using a regex like "\w+ device veth\w+ entered promiscuous mode$" -- but the rules files can't use the OS_Regex synatx (can only use OS_Match, which is much simpler). Any options other than filtering out all entries with rule ID 5104? I *feel* like I should be able to override the iptables decoder... but maybe that's me being optimistic. On Wednesday, January 18, 2017 at 5:00:47 AM UTC-5, Jesus Linares wrote: > > Hi Daniel, > > ossec-logtest always shows the name of the parent. > > If you want to ignore that alert, just create a rule in local_rules.xml: > > > > > > > 5104 > Ignore rule 5104. > > > > > > Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba > entered promiscuous mode > > > > > **Phase 1: Completed pre-decoding. >full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868] > device veth9c8da7ba entered promiscuous mode' >hostname: 'machine_name' >program_name: 'kernel' >log: '[347956.184868] device veth9c8da7ba entered promiscuous mode' > > > **Phase 2: Completed decoding. >decoder: 'kernel' > > > **Phase 3: Completed filtering (rules). >Rule id: '11' >Level: '0' >Description: 'Ignore rule 5104.' > > (I changed the name of the decoder from iptables to kernel). > > I hope it helps. > > On Tuesday, January 17, 2017 at 8:58:28 PM UTC+1, Daniel B. wrote: >> >> We use weave which periodically causes a network interface to enter >> promiscuous mode to sniff network traffic. This is expected behavior, and >> as such, I'm looking to ignore it. >> >> For reference, the iptables decoder is set at >> https://github.com/ossec/ossec-hids/blob/592d681ea07f9a8bf2bedb039ee9493e6fbe3c26/etc/decoder.xml#L1135 >> >> The log line I'm attempting to ignore looks like: >> Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba >> entered promiscuous mode >> >> Now, this is inserted into my local_decoder.xml file (with an appropriate >> local rule): >> >> >> >> iptables >> device (veth\w+) entered promiscuous >> mode >> kernel >> >> extra_data >> >> >> >> I've tried a lot of different variations on the above, including getting >> rid of the parent and prematch offsets (while temporarily deleting the >> original / parent iptables rule in >> etc/ossec_decoders/kernel-iptables_apparmor_decoders.xml >> >> >> Each time I run the log through ./ossec-logtest, it matches to the parent >> decoder, and as such an alert is fired. >> >> **Phase 1: Completed pre-decoding. >>full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868] >> device veth9c8da7ba entered promiscuous mode' >>hostname: 'machine_name' >>program_name: 'kernel' >>log: '[347956.184868] device veth9c8da7ba entered promiscuous mode' >> >> **Phase 2: Completed decoding. >>decoder: 'iptables' >> >> **Phase 3: Completed filtering (rules). >>Rule id: '5104' >>Level: '8' >>Description: 'Interface entered in promiscuous(sniffing) mode.' >> **Alert to be generated. >> >> >> Is there a way I can override the iptables decoder for this one specific >> log message? >> >> Any help is appreciated, thanks! >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: local_decoder.xml -- can't override (ignore) parent decoder
Hi Daniel, ossec-logtest always shows the name of the parent. If you want to ignore that alert, just create a rule in local_rules.xml: 5104 Ignore rule 5104. Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba entered promiscuous mode **Phase 1: Completed pre-decoding. full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba entered promiscuous mode' hostname: 'machine_name' program_name: 'kernel' log: '[347956.184868] device veth9c8da7ba entered promiscuous mode' **Phase 2: Completed decoding. decoder: 'kernel' **Phase 3: Completed filtering (rules). Rule id: '11' Level: '0' Description: 'Ignore rule 5104.' (I changed the name of the decoder from iptables to kernel). I hope it helps. On Tuesday, January 17, 2017 at 8:58:28 PM UTC+1, Daniel B. wrote: > > We use weave which periodically causes a network interface to enter > promiscuous mode to sniff network traffic. This is expected behavior, and > as such, I'm looking to ignore it. > > For reference, the iptables decoder is set at > https://github.com/ossec/ossec-hids/blob/592d681ea07f9a8bf2bedb039ee9493e6fbe3c26/etc/decoder.xml#L1135 > > The log line I'm attempting to ignore looks like: > Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba > entered promiscuous mode > > Now, this is inserted into my local_decoder.xml file (with an appropriate > local rule): > > > > iptables > device (veth\w+) entered promiscuous > mode > kernel > > extra_data > > > > I've tried a lot of different variations on the above, including getting > rid of the parent and prematch offsets (while temporarily deleting the > original / parent iptables rule in > etc/ossec_decoders/kernel-iptables_apparmor_decoders.xml > > > Each time I run the log through ./ossec-logtest, it matches to the parent > decoder, and as such an alert is fired. > > **Phase 1: Completed pre-decoding. >full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868] > device veth9c8da7ba entered promiscuous mode' >hostname: 'machine_name' >program_name: 'kernel' >log: '[347956.184868] device veth9c8da7ba entered promiscuous mode' > > **Phase 2: Completed decoding. >decoder: 'iptables' > > **Phase 3: Completed filtering (rules). >Rule id: '5104' >Level: '8' >Description: 'Interface entered in promiscuous(sniffing) mode.' > **Alert to be generated. > > > Is there a way I can override the iptables decoder for this one specific > log message? > > Any help is appreciated, thanks! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
