The decoder puts "snort" in program_name. Perhaps <match> doesn't apply to program_name. What happens if you use the program_name line from my rule and NO match line? Doug
On Mar 10, 1:54 pm, "Jefferson, Shawn" <[email protected]> wrote: > Ok, thanks! Do you see any problems with the rule that I do have though? I > would expect that these alerts wouldn't come through at all, but they still > seem to. > > Also, I don't want to ignore rule 1002 in general, just when the false > positive matches appear (like the lines that get written to the log with > Snort starts up that appear to OSSEC as events to report on.) > > Is my match tag appropriate for that? > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Wednesday, March 10, 2010 10:09 AM > To: [email protected] > Subject: Re: [ossec-list] Local Rules > > You should only have to restart the server when you change rules. The > agents do not have copies of the rules. > ossec-control restart should restart whichever system you run it on. > The group tag can contain just about anything, and is used for > reporting. There are a bunch of default groups based on the rules in > the ossec rules files, but I've added a couple on my setup. > I think setting a rule to level 0 should be fine, you shouldn't need > noalert=1. > Instead of ignoring rule 1002, I write local_rules for the logs that > trigger it. I set many of these to level 0 so I don't see them. I also > set quite a few to low levels so I'm not alerted to them, but they > should up in my reports (mostly sysadmin stuff). I'd recommend not > ignoring rule 1002. > > On Wed, Mar 10, 2010 at 12:09 PM, Jefferson, Shawn > <[email protected]> wrote: > > Hi, > > > I'm still fighting with the local rules, trying to get something that will > > work for suppressing some of the alerts. When you make a change to the > > local rules file on the manager, do you have to restart the ossec agents on > > the manager AND the clients? You do that by "ossec-control restart" right? > > What is the meaning of the group tag in the local rules file? Can I put > > anything I want in there, and is that used for reporting only? > > > Here are the messages I want to ignore: > > > --- > > Received From: (snort02) 172.16.4.21->/var/log/auth.log > > Rule: 20100 fired (level 8) -> "First time this IDS alert is generated." > > <snip> > > > --- > > > Received From: (snort01) 172.16.4.20->/var/log/syslog > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > > Portion of the log(s): > > > Mar 10 04:00:02 bcfids01 snort[4701]: Check for Bounce Attacks: YES > > alert: YES > > > --- > > > And the rules I've created to do so (I took out the hostname tag that wasn't > > working): > > > <!-- Snort Events to Ignore --> > > <group name="local,syslog,snort"> > > <rule id="100100" level="0" noalert="1"> > > <if_sid>20100</if_sid> > > <description>Ignoring first time seen snort events</description> > > </rule> > > </group> > > > <!-- Syslog Events to Ignore --> > > <group name="local,syslog"> > > <rule id="100101" level="0" noalert="1"> > > <if_sid>1002</if_sid> > > <match>snort[</match> > > <description>Ignoring syslog events from snort startup</description> > > </rule> > > </group> > > > Thanks for your help! > > Shawn
