Hi Dan,
For your first rule, "kernelgrsec" is decoded as the program_name, so
you need to change
your rule to:
<rule id="100010" level="0">
<program_name>^kernelgrsec</program_name>
<description>Kernelgrsec messages.</description>
</rule>
*the regex and match tags, only look for the log message after the
syslog header.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/19/07, Dan <[EMAIL PROTECTED]> wrote:
>
> Hi
>
> Thanks for your help.
> I was able to make my own rules. But with some of them i have a
> problem :-(
> I have a application which reports to syslog and i need to match some
> of these messages. But there is everytime the rule id 1002 triggering
> (syslog with $badwords)!
>
> I did in the local_rules.xml a new group <group
> name="syslog,errors,"> and entered my rules.
> For example:
> <rule id="100010" level="0">
> <regex>kernelgrsec:|</regex>
> <description>xxx</description>
> </rule>
> <rule id="100011" level="7">
> <if_sid>100010</if_sid>
> <match>^failure</match>
> <description>xxx</description>
> </rule>
>
> The first rule won't generate an alert, but the second one should.
> But there always triggers the rule 1002. What error is in my filters?
>
> Thanks for your help.
>
> Regards,
> Dan
>
> Am 19.09.2007 um 03:18 schrieb Daniel Cid:
>
> >
> > Hi Daniel,
> >
> > Regarding how to write the rules, the following documents can help:
> >
> > http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
> > http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
> >
> > Thanks,
> >
> > --
> > Daniel B. Cid
> > dcid ( at ) ossec.net
> >
> > On 9/18/07, Peter M. Abraham <[EMAIL PROTECTED]> wrote:
> >>
> >> Greetings Daniel:
> >>
> >> Custom rules can be placed in /var/ossec/rules/local_rules.xml
> >>
> >> Thank you.
> >>
> >>
>
>
>
>
>
>
