Hello,
I'm experimenting with ossec-hids-1.0 and am currently trying to
reduce some false positives.
So I put this into the local_rules.xml file
<rule id="109010" level="0">
<if_sid>1002</if_sid>
<program_name>foo</program_name>
<regex>[15][*][warning] authorization denied for host: x.x.x.x ()
$|</regex>
<regex>[15][*][warning] authorization denied for host: y.y.y.y ()
$</regex>
<description>foo events ignored</description>
</rule>
Where I specifically want to ignore those warnings from hosts x.x.x.x
and
y.y.y.y. But I still get
Received From: host->/var/log/messages
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Feb 9 10:26:15 host foo[6895]: [15][*][warning] authorization denied
for host: y.y.y.y ()
A note in the list archives says that 1.0 matches <regex> against
whatever "starts after [the process name]." Which is what I think
I'm doing above.
What am I doing wrong?
(Pls. CC: me in any reply - I am not subscribed to the list)
-dean takemori
