One last one that's really been irritating me. Rule in local_rules.xml, on the server (which is also the system running nagios, if that makes a difference):
<rule id="100011" level="0"> <if_sid>1002</if_sid> <hostname>ovm-a</hostname> <hostname>ovm-b</hostname> <hostname>localhost</hostname> <program_name>^nagios</program_name> <description>Ignoring nagios log entries</description> </rule> I still get the alert: Received From: ovm-a->/var/log/messages Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Apr 2 00:00:01 ovm-a nagios: CURRENT SERVICE STATE: mark-windows- desktop;RAM;CRITICAL;HARD;1;Connection refused or timed out On Apr 1, 10:34 am, Mark C <[email protected]> wrote: > In addition, as mentioned in the OP... > > I have this rule: > > <rule id="100029" level="0"> > <if_sid>5712</if_sid> > <hostname>sloth</hostname> > <hostname>lmp-a</hostname> > <hostname>lmp-b</hostname> > <description>Ignoring "SSHD brute force trying to get access to the > system."</description> > </rule> > > And still get this alert: > > Received From: (sloth.xxx.xxx) xxx.xxx.143.180->/var/log/auth.log > Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access > to the system." > Portion of the log(s): > > Am I doing something wrong? > > On Mar 30, 4:19 pm, Mark C <[email protected]> wrote: > > > Daniel, > > > I'm not sure I understand exactly how to use <stats> based > > onhttp://www.ossec.net/main/manual/configuration-options/#global_options > > , but I see that <stats> is in the global section. I only want to > > ignore rule #11 ("Excessive number of events (above normal).") if it's > > triggered by a single specific log file - in this case, maillog. I > > want all log files except maillog to be able to trigger this. > > > On Mar 30, 2:30 pm, Daniel Cid <[email protected]> wrote: > > > > Hi Mark, > > > > This event #11 is a bit special, since it is created internally and we > > > don't have a rule for it. The way > > > to ignore those is by setting the <stats> flag in the ossec.conf. If > > > you change it to 0, these events > > > will be ignored. > > > > Thanks, > > > > -- > > > Daniel B. Cid > > > dcid ( at ) ossec.net > > > > On Mon, Mar 30, 2009 at 11:01 AM, Mark C <[email protected]> wrote: > > > > > Hi all, > > > > > Sorry to respond to me own post but this problem is really bugging > > > > me. Could someone at least show me the rule you use to ignore rule > > > > #11? ("Excessive number of events (above normal).") > > > > > On Mar 25, 8:37 am, Mark C <[email protected]> wrote: > > > >> Hi all, > > > > >> I'm fairly new to OSSEC but I think I understand how to create rules > > > >> to ignore certain rules. I have > > > >> readhttp://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules > > > > >> Here are 2 rules I'm having a problem with. > > > > >> Received From: (jack-3.xxx.xxx) xxx.xxx.150.168->/var/log/maillog > > > >> Rule: 11 fired (level 8) -> "Excessive number of events (above > > > >> normal)." > > > >> Portion of the log(s): > > > > >> The average number of logs between 19:00 and 20:00 is 15678. We > > > >> reached 20383. > > > > >> So, I add the below into /var/ossec/rules/local_rules.xml on the > > > >> server, and restart OSSEC on the server: > > > > >> <rule id="100028" level="0"> > > > >> <if_sid>11</if_sid> > > > >> <hostname>jack-3</hostname> > > > >> <description>Ignoring</description> > > > >> </rule> > > > > >> When OSSEC starts, I get this error: > > > > >> Starting OSSEC HIDS v2.0 (by Third Brigade, Inc.)... > > > >> 2009/03/24 15:11:24 rules_list: Signature ID '11' not found. Invalid > > > >> 'if_sid'. > > > >> ossec-analysisd: Configuration error. Exiting > > > > >> I have many rules very similar to this - is something wrong with my > > > >> syntax? > > > > >> The 2nd rule I'm having a problem matching is this: > > > > >> Received From: (sloth.xxx.xxx) xxx.xxx.143.180->/var/log/auth.log > > > >> Rule: 5551 fired (level 10) -> "Multiple failed logins in a small > > > >> period of time." > > > >> Portion of the log(s): > > > > >> Mar 25 06:27:15 sloth sshd[5896]: (pam_unix) authentication failure; > > > >> logname= uid=0 euid=0 tty=ssh ruser= rhost=gw.digitalsheep.co.jp > > > >> user=root > > > > >> <rule id="100017" level="0"> > > > >> <if_sid>5551,5720,5712,5703</if_sid> > > > >> <hostname>sloth</hostname> > > > >> <description>Ignoring ssh brute force attacks</description> > > > >> </rule> > > > > >> I don't get an error with this one, but I still receive alerts. > > > > >> The dozens of other rules I have work as expected, so I'm at a > > > >> complete loss here. "sloth" is also not the only agent I have > > > >> problems with. sloth is on Ubuntu, and I have some other clients with > > > >> similar issues on CentOS. > > > > >> Any help is appreciated! :)
