Thanks, that helps a lot. The documentation on ossec is somewhat sparse, it's difficult to find this stuff out looking at the manual and the wiki.
________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of oscar schneider Sent: Thursday, March 11, 2010 8:43 AM To: [email protected] Subject: Re: [ossec-list] Re: Local Rules P.S.: <match> does indeed not work for "snort" since this string is predecoded as the program name and does not show up in the rest of the log (which is predecoded as "log"): 2010/03/11 17:38:16 ossec-testrule: INFO: Started (pid: 32258). ossec-testrule: Type one log per line. Mar 10 04:00:02 bcfids01 snort[4701]: Check for Bounce Attacks: YES alert: YES **Phase 1: Completed pre-decoding. full event: 'Mar 10 04:00:02 bcfids01 snort[4701]: Check for Bounce Attacks: YES alert: YES' hostname: 'bcfids01' program_name: 'snort' log: ' Check for Bounce Attacks: YES alert: YES' As far as I know <match> and <regex> in the rule matching step is only applied to the field predecoded as log. If I'm wrong about this, please let me know. On Thu, Mar 11, 2010 at 5:37 PM, oscar schneider <[email protected]<mailto:[email protected]>> wrote: Hey, using program name is sufficient if you want to exclude about all snort logs that would match rule 1002. There is no extra <match> option needed. Instead of <programe_name> you can also use <decoded_as>snort</decoded_as> or both (cf. decoders.xml if there is any other program_name affected by the snort decoder, if there isn't, decoded_as is fine. ). Important is to realize the consequences such a rule can have. A local rule like <rule id="111111" level="0"> <if_sid>1002</if_sid> <decoded_as>snort</decoded_as> <!-- or alternatively <program_name>snort</program_name> --> </rule> will result in no notification for every event that is decoded as snort and matches rule 1002 and is not also matching any other rule with a lower id than 111111. So it might be that you exclude some snort messages you'd actually like to be notified about. On Wed, Mar 10, 2010 at 9:59 PM, Doug Burks <[email protected]<mailto:[email protected]>> wrote: The decoder puts "snort" in program_name. Perhaps <match> doesn't apply to program_name. What happens if you use the program_name line from my rule and NO match line? Doug
