-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tim,
I tried a similar regex without luck but then saw another way to do
the same thing. You may want to try something like (I've not tried
this, I'm just guessing...):
<rule id="1002020" level="0">
<if_sid>20151</if_sid>
<program_name>snort</program_name>
<srcip>192.168.0.150</srcip>
<match>portscan</match>
<description>Portsweep from whatsup. It's OK.</description>
</rule>
In theory OSSEC will already have parsed the program name and
source IP for you so you can use options specific to those and then
just a simple match on portscan in the log entry. I saw the match
options when I was looking at the regex rules here:
http://www.ossec.net/wiki/index.php/Know_How:Regex_Readme. I'm not
sure srcip is valid that, but it sure seems likely to me.
I don't know if it's the best approach, but a similar rule helped
me out.
-David
Tim Boyer wrote:
> OK, I've just started using this fine program, and I'm trying to eliminate a
> false positive. I'm doing something wrong that I'm sure is obvious, but
> after four days of staring at it I need more eyes.
>
> WhatsUp is doing portscans on my internal network, which is a Good Thing.
> The logs say
>
> Received From: saratoga.denmantire.com->/var/log/messages
> Rule: 20151 fired (level 11) -> "Multiple IDS events from same source ip."
> Portion of the log(s):
>
> Jun 3 15:34:33 saratoga.denmantire.com snort[27016]: [122:3:0] (portscan)
> TCP Portsweep {PROTO255} 192.168.0.150 -> 192.168.1.80
> Jun 3 15:34:03 saratoga.denmantire.com snort[27022]: [122:19:0] (portscan)
> UDP Portsweep {PROTO255} 192.168.0.150 -> 192.168.1.80
> Jun 3 15:34:03 saratoga.denmantire.com snort[27016]: [122:19:0] (portscan)
> UDP Portsweep {PROTO255} 192.168.0.150 -> 192.168.1.80
> Jun 3 15:33:50 saratoga.denmantire.com snort[27016]: [122:25:0] (portscan)
> ICMP Sweep {PROTO255} 192.168.0.150 -> 192.168.0.201
>
> so I want a generalized 'ignore this' for the portscans coming out of
> 192.168.0.150. I thought that putting this into local_rules would take care
> of it:
>
> <rule id="1002020" level="0">
> <if_sid>20151</if_sid>
> <regex>snort\.*(portscan)\.*{PROTO255} 192.168.0.150 -></regex>
> <description>Portsweep from whatsup. It's OK.</description>
> </rule>
>
> but it's obviously not doing what I wanted it to. What am I not seeing
> here?
>
> Thanks,
>
- --
_______________________________________________
GPG (http://www.gnupg.org/) key available from:
http://www.kayakero.net/per/david/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGY1P5CzuSgviBh00RAohyAJwMdOS5Iz0g1cGujMK5SIS8EftPbgCfYBVx
qKb9rHxnOXnvZ7yEHsGsgTY=
=26mR
-----END PGP SIGNATURE-----
