Hi Dennis,
the rule is not correct because: Jun 11 21:19:10 (1)KKWIRELESS (2)kernel: (3)device prism0 entered promiscuous mode (1) is hostname (2) is program_name (3) is log The match directive applies only to log part so the correct rule is something like this: <rule id="100101" level="0"> <if_sid>5104</if_sid> <match>device prism0 entered promiscuous mode</match> <description>KKWIRELESS Events ignored</description> </rule> You can use hostname and program_name directive to fine-grain the rule. I hope this help you a bit :) Greetings El lun, 11-06-2007 a las 09:14 -0500, Dennis Borkhus-Veto escribió: > I know it is something I may have missed but the local rule to ignore > a false positive alert that I created is not working. > > Here is the rule and the alert from my alert log. > > My rule > > <group name="local,syslog,"> > > > > <!-- Note that rule id 5711 is defined at the ssh_rules file > > - as a ssh failed login. This is just an example > > - since ip 1.1.1.1 shouldn't be used anywhere. > > - Level 0 means ignore. > > --> > > <rule id="100001" level="0"> > > <if_sid>5711</if_sid> > > <srcip>1.1.1.1</srcip> > > <description>Example of rule that will ignore sshd </description> > > <description>failed logins from IP 1.1.1.1.</description> > > </rule> > > > > <rule id="100101" level="0"> > > <if_sid>5104</if_sid> > > <match>"KKWIRELESS kernel: device prism0 entered promiscuous > mode"</match> > > <description>KKWIRELESS Events ignored</description> > > </rule> > > > > <!-- This example will ignore ssh failed logins for the user name > XYZABC. > > --> > > <!-- > > <rule id="100020" level="0"> > > <if_sid>5711</if_sid> > > <user>XYZABC</user> > > <description>Example of rule that will ignore sshd </description> > > <description>failed logins for user XYZABC.</description> > > </rule> > > --> > > > > > > <!-- Specify here a list of rules to ignore. --> > > <!-- > > <rule id="100030" level="0"> > > <if_sid>12345, 23456, xyz, abc</if_sid> > > <description>List of rules to be ignored.</description> > > </rule> > > --> > > > > </group> <!-- SYSLOG,LOCAL --> > > > > THIS is the alert from the Ossec alert log > > > > ** Alert 1181614751.1385744: mail - syslog,linuxkernel,promisc, > > 2007 Jun 11 21:19:11 KKWIRELESS->/Log/syslog-ng/KKWIRELESS/syslog.log > > Rule: 5104 (level 8) -> 'Interface entered in promiscuous(sniffing) > mode.' > > Src IP: (none) > > User: (none) > > Jun 11 21:19:10 KKWIRELESS kernel: device prism0 entered promiscuous > mode > > > > > > What am I missing? > > Dennis > > -- --- Iñaki Rodríguez [EMAIL PROTECTED] Departamento de Sistemas ACK STORM, S.L. http://www.ackstorm.es
