subject:"\[ossec\-list\] local_decoder.xml \-\- can't override \(ignore\) parent decoder"

Re: [ossec-list] local_decoder.xml -- can't override (ignore) parent decoder

2017-01-19 Thread dan (ddp)

On Tue, Jan 17, 2017 at 2:53 PM, Daniel B.  wrote:
> We use weave which periodically causes a network interface to enter
> promiscuous mode to sniff network traffic. This is expected behavior, and as
> such, I'm looking to ignore it.
>
> For reference, the iptables decoder is set at
> https://github.com/ossec/ossec-hids/blob/592d681ea07f9a8bf2bedb039ee9493e6fbe3c26/etc/decoder.xml#L1135
>
> The log line I'm attempting to ignore looks like:
> Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba
> entered promiscuous mode
>
> Now, this is inserted into my local_decoder.xml file (with an appropriate
> local rule):
>
>
> 
>   iptables
>   device (veth\w+) entered promiscuous
> mode
>   kernel
>   
>   extra_data
> 
>

I know this is solved, but here's a decoder to do what the above is
attempting to do (I'm not sure about regex in the prematch field):

  iptables
  promiscuous mode$
  device (\S+) entered
  extra_data



>
> I've tried a lot of different variations on the above, including getting rid
> of the parent and prematch offsets (while temporarily deleting the original
> / parent iptables rule in
> etc/ossec_decoders/kernel-iptables_apparmor_decoders.xml
>
>
> Each time I run the log through ./ossec-logtest, it matches to the parent
> decoder, and as such an alert is fired.
>
> **Phase 1: Completed pre-decoding.
>full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868]
> device veth9c8da7ba entered promiscuous mode'
>hostname: 'machine_name'
>program_name: 'kernel'
>log: '[347956.184868] device veth9c8da7ba entered promiscuous mode'
>
> **Phase 2: Completed decoding.
>decoder: 'iptables'
>
> **Phase 3: Completed filtering (rules).
>Rule id: '5104'
>Level: '8'
>Description: 'Interface entered in promiscuous(sniffing) mode.'
> **Alert to be generated.
>
>
> Is there a way I can override the iptables decoder for this one specific log
> message?
>
> Any help is appreciated, thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] local_decoder.xml -- can't override (ignore) parent decoder

2017-01-17 Thread Daniel B.

We use weave which periodically causes a network interface to enter 
promiscuous mode to sniff network traffic. This is expected behavior, and 
as such, I'm looking to ignore it. 

For reference, the iptables decoder is set 
at 
https://github.com/ossec/ossec-hids/blob/592d681ea07f9a8bf2bedb039ee9493e6fbe3c26/etc/decoder.xml#L1135

The log line I'm attempting to ignore looks like: 
Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba 
entered promiscuous mode

Now, this is inserted into my local_decoder.xml file (with an appropriate 
local rule):



  iptables
  device (veth\w+) entered promiscuous 
mode
  kernel
  
  extra_data



I've tried a lot of different variations on the above, including getting 
rid of the parent and prematch offsets (while temporarily deleting the 
original / parent iptables rule in 
etc/ossec_decoders/kernel-iptables_apparmor_decoders.xml


Each time I run the log through ./ossec-logtest, it matches to the parent 
decoder, and as such an alert is fired.

**Phase 1: Completed pre-decoding.
   full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868] 
device veth9c8da7ba entered promiscuous mode'
   hostname: 'machine_name'
   program_name: 'kernel'
   log: '[347956.184868] device veth9c8da7ba entered promiscuous mode'

**Phase 2: Completed decoding.
   decoder: 'iptables'

**Phase 3: Completed filtering (rules).
   Rule id: '5104'
   Level: '8'
   Description: 'Interface entered in promiscuous(sniffing) mode.'
**Alert to be generated.
 

Is there a way I can override the iptables decoder for this one specific 
log message? 

Any help is appreciated, thanks!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] local_decoder.xml -- can't override (ignore) parent decoder

[ossec-list] local_decoder.xml -- can't override (ignore) parent decoder

2 matches

Site Navigation

Mail list logo

Footer information