Hi Kayvan,
Whenever you want to use regexes, you need the regex tag. The "match" is
only for simple pattern matching. Secondly, the "match" and "regex" tags
only look at the log message, not at the process name of syslog header.
Basically, you have 4 tags:
hostname - (look at the syslog header hostname). It would match "server" for
the log you posted.
program_name - (look for the process name). It would match "smbd" for the
log you posted.
match, regex - (look at the log message). They would only look at
"Denied connection from (0.0.0.0)" for your log.
So, a rule for your case, would be:
<rule id="100070" level="0">
<if_sid>1002</if_sid>
<match>^Denied connection from</match>
<description>Ignoring smbd denied connection from</description>
</rule>
You could also use the <program_name>smbd</program_name> to be
more accurate. The following links can help:
http://www.ossec.net/en/manual.html#rules
http://www.ossec.net/wiki/index.php/FAQ
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Feb 16 09:52:21 server smbd[14947]: Denied connection from (0.0.0.0)
On 2/16/07, Kayvan A. Sylvan <[EMAIL PROTECTED]> wrote:
On Fri, Feb 16, 2007 at 01:30:13PM -0500, Mark Haney wrote:
>
> Kayvan A. Sylvan wrote:
> >Okay, following up on ignoring certain alerts:
> >Part of my local_rules.xml is:
> > <rule id="100070" level="0">
> > <if_sid>1002</if_sid>
> > <match>smbd\.* Denied connection from (0.0.0.0)</match>
> > <description>Ignoring smbd denied connection from</description>
> > </rule>
>
> First guess, the <match> should be <regex> instead. <match> will
> exactly match what it has in the rule and by this the log doesn't match.
Okay. Thanks.
Is there documentation on what are the tags that can be put in the xml file?
---Kayvan
--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
