RE: [ossec-list] Local Rules Syntax

[Branimir Pačar]

Maybe you could write your rule like this:

 

<rule id=“....>

...

<hostname>snort01</hostname>

<hostname>snort02</hostname>

...

</rule>

 

I'm not sure if it is going to work, but it doesn't hurt to try.

 

 

Best regards,

Branimir

 

________________________________

From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On 
Behalf Of Jefferson, Shawn
Sent: Friday, March 05, 2010 7:47 PM
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] Local Rules Syntax

 

Thanks, that helps!

 

I guess I still have the issue that <hostname>snort01|snort02</hostname> is not 
working for the second hostname (ie. alerts are being fired still.)

 

________________________________

From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On 
Behalf Of oscar schneider
Sent: Friday, March 05, 2010 4:54 AM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] Local Rules Syntax

 

No what he is trying to say is that you do not push the rules to the agents, 
only configs. This is because the rules are not needed by the agents. The rules 
are only used by the ossec-analysisd, which doesnt run on agents, but on the 
server only.

The ossec.conf and agent.conf are also read by agent side daemons, e.g. 
syscheck and logcollector.

On the agent side, for log analysis only the following things happen:
1. ossec-logcollector reads ossec.conf and agent.conf. From there it extracts 
the locations of files it needs to monitor.
2. Every time one of these logfiles get a new log entry, logcollector will 
notice and write it to a socket.
3. ossec-agentd forwards the contents of that socket to the server.

The server will do the following:
1. ossec-analysisd reads decoder.xml and all rule files as specified in 
ossec.conf
2. When remoted receives a message from an agent, it forwards that message to 
analysisd
3. Analysisd runs predecoder (hard coded afaik), the appropriate decoder (as 
defined in decoder.xml) and then starts rule matching, i.e. compares the output 
of the decoding phase with the rules. Analysisd maybe has to consider a rule 
chain, e.g. if a decoded message matches rule 1000, rule 1001 has 
<if_sid>1000</if_sid> and matches also then 1001 would be returned instead of 
stopping at 1000.
4. After determining the final rule that is matches, an alert is generated. If 
specified by the rules options and alert level e.g. an active response or email 
notification.

As you can see, the rules are not pushed. They are not necessary on the agent 
side at all. 

Changing the local_rules.xml at the server and restarting the server should 
suffice.

On Thu, Mar 4, 2010 at 11:42 PM, Jefferson, Shawn 
<shawn.jeffer...@bcferries.com> wrote:

Are you saying that you cannot put rules into the local_rules.xml file on the 
manager and have them applied to agents?  I thought I had seen a mailing list 
post that you could do that.

As described above, the rules are not needed for the agent. 

         

        So what I need to do is make a change to the local_rules.xml file on 
each agent where I want to ignore this event?


No
 

         

        Thanks,

        Shawn

         

        
________________________________


        From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] 
On Behalf Of Wim Remes
        Sent: Thursday, March 04, 2010 11:03 AM

        
        To: ossec-list@googlegroups.com
        Subject: Re: [ossec-list] Local Rules Syntax

         

        Hi,

         

        you don't push out rules, you push out config files, as specified here :

        http://www.ossec.net/main/manual/centralized-config/

         

        here you can specify configurations as follows :

        <agent_config name=”agent1|agent2″>
        <localfile>
        <location>/var/log/my.log</location>
        <log_format>syslog</log_format>
        </localfile>
        </agent_config>

         

        the <hostname>host1|host2</hostname> should work on the event coming 
from either of both hosts.

         

        Kind Regards,

         

        Wim

        On 04 Mar 2010, at 18:06, Jefferson, Shawn wrote:

         

        Hi,

         

        I have tried this, but unfortunately it doesn’t seem to work for the 
“snort02” hostname (ie. I still get alerts from that machine, but not from the 
snort01.

         

        Thanks,

        Shawn

         

        
________________________________


        From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] 
On Behalf Of oscar schneider
        Sent: Wednesday, March 03, 2010 4:35 AM
        To: ossec-list@googlegroups.com
        Subject: Re: [ossec-list] Local Rules Syntax

         

        Hey,
        
        not sure at the moment but I think it should be
        
        <hostname>snort01|snort02</hostname> 
        
        instead.
        
        Kind regards,
        
        oscar

        On Tue, Mar 2, 2010 at 6:55 PM, Jefferson, Shawn 
<shawn.jeffer...@bcferries.com> wrote:

        Hi,

         

        I’m putting some local rules into the local_rules.xml file on the 
manager (from what I’ve read you can put them here to push out to your agents?)

         

        Can you use a comma separated list in <hostname> like so ?

         

        <group name="local,snort">

        <rule id="100100" level="0" noalert="1">

        <if_sid>20100</if_sid>

        <hostname>snort01, snort02</hostname>

        <description>Ignoring snort events</description>

        </rule>

        </group>

         

        Or should you use a regex?

         

        Thanks,

        Shawn