Ok, thanks! Do you see any problems with the rule that I do have though? I would expect that these alerts wouldn't come through at all, but they still seem to.
Also, I don't want to ignore rule 1002 in general, just when the false positive matches appear (like the lines that get written to the log with Snort starts up that appear to OSSEC as events to report on.) Is my match tag appropriate for that? -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Wednesday, March 10, 2010 10:09 AM To: [email protected] Subject: Re: [ossec-list] Local Rules You should only have to restart the server when you change rules. The agents do not have copies of the rules. ossec-control restart should restart whichever system you run it on. The group tag can contain just about anything, and is used for reporting. There are a bunch of default groups based on the rules in the ossec rules files, but I've added a couple on my setup. I think setting a rule to level 0 should be fine, you shouldn't need noalert=1. Instead of ignoring rule 1002, I write local_rules for the logs that trigger it. I set many of these to level 0 so I don't see them. I also set quite a few to low levels so I'm not alerted to them, but they should up in my reports (mostly sysadmin stuff). I'd recommend not ignoring rule 1002. On Wed, Mar 10, 2010 at 12:09 PM, Jefferson, Shawn <[email protected]> wrote: > Hi, > > I'm still fighting with the local rules, trying to get something that will > work for suppressing some of the alerts. When you make a change to the > local rules file on the manager, do you have to restart the ossec agents on > the manager AND the clients? You do that by "ossec-control restart" right? > What is the meaning of the group tag in the local rules file? Can I put > anything I want in there, and is that used for reporting only? > > Here are the messages I want to ignore: > > --- > Received From: (snort02) 172.16.4.21->/var/log/auth.log > Rule: 20100 fired (level 8) -> "First time this IDS alert is generated." > <snip> > > --- > > Received From: (snort01) 172.16.4.20->/var/log/syslog > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Mar 10 04:00:02 bcfids01 snort[4701]: Check for Bounce Attacks: YES > alert: YES > > --- > > And the rules I've created to do so (I took out the hostname tag that wasn't > working): > > <!-- Snort Events to Ignore --> > <group name="local,syslog,snort"> > <rule id="100100" level="0" noalert="1"> > <if_sid>20100</if_sid> > <description>Ignoring first time seen snort events</description> > </rule> > </group> > > > <!-- Syslog Events to Ignore --> > <group name="local,syslog"> > <rule id="100101" level="0" noalert="1"> > <if_sid>1002</if_sid> > <match>snort[</match> > <description>Ignoring syslog events from snort startup</description> > </rule> > </group> > > > > Thanks for your help! > Shawn > >
