Hi,
The key to figuring out what was wrong with the rules was using ossec-logtest.
I didn't realize that you can plug a line of a log file in there and it would
spit out what it will decode it as, and the rules that match. The problem was
the noalert="1" in my rule. With that in there, the rule would not fire at all
(Phase 3: Completed filtering (rules) would show Rule id: 1002 and not by local
rule. Taking it out then allows the rule to fire.
I changed the rule to read:
<rule id="101000" level="0">
<if_sid>1002</if_sid>
<program_name>^snort</program_name>
<match>Check for Bounce Attacks:|Bad Message Direction Alert:|Bad Payload
Size Alert:</match>
<description>Ignoring syslog events from snort startup</description>
</rule>
Which should detect the startup messages but still alert on any other "Unknown
problem somewhere in the system" coming from snort.
Thanks for your help everyone! I think this was the issue with the <hostname>
problems I thought I was having too.
________________________________
From: [email protected] [mailto:[email protected]] On
Behalf Of oscar schneider
Sent: Thursday, March 11, 2010 8:38 AM
To: [email protected]
Subject: Re: [ossec-list] Re: Local Rules
Hey,
using program name is sufficient if you want to exclude about all snort logs
that would match rule 1002.
There is no extra <match> option needed. Instead of <programe_name> you can
also use <decoded_as>snort</decoded_as> or both (cf. decoders.xml if there is
any other program_name affected by the snort decoder, if there isn't,
decoded_as is fine. ).
Important is to realize the consequences such a rule can have. A local rule like
<rule id="111111" level="0">
<if_sid>1002</if_sid>
<decoded_as>snort</decoded_as>
<!-- or alternatively
<program_name>snort</program_name>
-->
</rule>
will result in no notification for every event that is decoded as snort and
matches rule 1002 and is not also matching any other rule with a lower id than
111111.
So it might be that you exclude some snort messages you'd actually like to be
notified about.
On Wed, Mar 10, 2010 at 9:59 PM, Doug Burks
<[email protected]<mailto:[email protected]>> wrote:
The decoder puts "snort" in program_name. Perhaps <match> doesn't
apply to program_name. What happens if you use the program_name line
from my rule and NO match line?
Doug
