P.S.:
<match> does indeed not work for "snort" since this string is predecoded as
the program name and does not show up in the rest of the log (which is
predecoded as "log"):
2010/03/11 17:38:16 ossec-testrule: INFO: Started (pid: 32258).
ossec-testrule: Type one log per line.
Mar 10 04:00:02 bcfids01 snort[4701]: Check for Bounce Attacks: YES
alert: YES
**Phase 1: Completed pre-decoding.
full event: 'Mar 10 04:00:02 bcfids01 snort[4701]: Check for
Bounce Attacks: YES alert: YES'
hostname: 'bcfids01'
*program_name*: 'snort'
*log:* ' Check for Bounce Attacks: YES alert: YES'
As far as I know <match> and <regex> in the rule matching step is only
applied to the field predecoded as log.
If I'm wrong about this, please let me know.
On Thu, Mar 11, 2010 at 5:37 PM, oscar schneider <[email protected]>wrote:
> Hey,
>
> using program name is sufficient if you want to exclude about all snort
> logs that would match rule 1002.
> There is no extra <match> option needed. Instead of <programe_name> you can
> also use <decoded_as>snort</decoded_as> or both (cf. decoders.xml if there
> is any other program_name affected by the snort decoder, if there isn't,
> decoded_as is fine. ).
>
> Important is to realize the consequences such a rule can have. A local rule
> like
>
> <rule id="111111" level="0">
>
> <if_sid>1002</if_sid>
> <decoded_as>snort</decoded_as>
> <!-- or alternatively
>
> <program_name>snort</program_name>
> -->
> </rule>
>
> will result in no notification for every event that is decoded as snort and
> matches rule 1002 and is not also matching any other rule with a lower id
> than 111111.
>
> So it might be that you exclude some snort messages you'd actually like to
> be notified about.
>
>
> On Wed, Mar 10, 2010 at 9:59 PM, Doug Burks <[email protected]> wrote:
>
>> The decoder puts "snort" in program_name. Perhaps <match> doesn't
>> apply to program_name. What happens if you use the program_name line
>> from my rule and NO match line?
>> Doug
>>
>>
