I'm not sure if this is the cause or not, but from my understanding ossec reads the rules by the level, in this case your rule is level 0. When I wrote a rule to ignore another rule, I had to set the level higher than the rule its based off (<if_sid>5104</if_sid> in your case) so that it would catch this instead of catching the parent rule
I then added: <options>no_email_alert</options> so that it wouldn't send those alerts to me yet still logged them. This may not be the proper solution, but it worked for me, hope it helps... ~Zach On 6/11/07, Dennis Borkhus-Veto <[EMAIL PROTECTED]> wrote: > > I know it is something I may have missed but the local rule to ignore a > false positive alert that I created is not working. > > Here is the rule and the alert from my alert log. > > My rule > > <group name="local,syslog,"> > > > > <!-- Note that rule id 5711 is defined at the ssh_rules file > > - as a ssh failed login. This is just an example > > - since ip 1.1.1.1 shouldn't be used anywhere. > > - Level 0 means ignore. > > --> > > <rule id="100001" level="0"> > > <if_sid>5711</if_sid> > > <srcip>1.1.1.1</srcip> > > <description>Example of rule that will ignore sshd </description> > > <description>failed logins from IP 1.1.1.1.</description> > > </rule> > > > > <rule id="100101" level="0"> > > <if_sid>5104</if_sid> > > <match>"KKWIRELESS kernel: device prism0 entered promiscuous > mode"</match> > > <description>KKWIRELESS Events ignored</description> > > </rule> > > > > <!-- This example will ignore ssh failed logins for the user name > XYZABC. > > --> > > <!-- > > <rule id="100020" level="0"> > > <if_sid>5711</if_sid> > > <user>XYZABC</user> > > <description>Example of rule that will ignore sshd </description> > > <description>failed logins for user XYZABC.</description> > > </rule> > > --> > > > > > > <!-- Specify here a list of rules to ignore. --> > > <!-- > > <rule id="100030" level="0"> > > <if_sid>12345, 23456, xyz, abc</if_sid> > > <description>List of rules to be ignored.</description> > > </rule> > > --> > > > > </group> <!-- SYSLOG,LOCAL --> > > > > THIS is the alert from the Ossec alert log > > > > ** Alert 1181614751.1385744: mail - syslog,linuxkernel,promisc, > > 2007 Jun 11 21:19:11 KKWIRELESS->/Log/syslog-ng/KKWIRELESS/syslog.log > > Rule: 5104 (level 8) -> 'Interface entered in promiscuous(sniffing) mode.' > > Src IP: (none) > > User: (none) > > Jun 11 21:19:10 KKWIRELESS kernel: device prism0 entered promiscuous mode > > > > > > What am I missing? > > Dennis >
