Thanks, that helps a lot.  The documentation on ossec is somewhat sparse, it's 
difficult to find this stuff out looking at the manual and the wiki.

________________________________
From: [email protected] [mailto:[email protected]] On 
Behalf Of oscar schneider
Sent: Thursday, March 11, 2010 8:43 AM
To: [email protected]
Subject: Re: [ossec-list] Re: Local Rules

P.S.:

<match> does indeed not work for "snort" since this string is predecoded as the 
program name and does not show up in the rest of the log (which is predecoded 
as "log"):

2010/03/11 17:38:16 ossec-testrule: INFO: Started (pid: 32258).
ossec-testrule: Type one log per line.

Mar 10 04:00:02 bcfids01 snort[4701]:         Check for Bounce Attacks: YES 
alert: YES


**Phase 1: Completed pre-decoding.
       full event: 'Mar 10 04:00:02 bcfids01 snort[4701]:         Check for 
Bounce Attacks: YES alert: YES'
       hostname: 'bcfids01'
       program_name: 'snort'
       log: '        Check for Bounce Attacks: YES alert: YES'


As far as I know <match> and <regex> in the rule matching step is only applied 
to the field predecoded as log.
If I'm wrong about this, please let me know.
On Thu, Mar 11, 2010 at 5:37 PM, oscar schneider 
<[email protected]<mailto:[email protected]>> wrote:
Hey,

using program name is sufficient if you want to exclude about all snort logs 
that would match rule 1002.
There is no extra <match> option needed. Instead of <programe_name> you can 
also use <decoded_as>snort</decoded_as> or both (cf. decoders.xml if there is 
any other program_name affected by the snort decoder, if there isn't, 
decoded_as is fine. ).

Important is to realize the consequences such a rule can have. A local rule like

<rule id="111111" level="0">

 <if_sid>1002</if_sid>
 <decoded_as>snort</decoded_as>
<!-- or alternatively

 <program_name>snort</program_name>
-->
</rule>

will result in no notification for every event that is decoded as snort and 
matches rule 1002 and is not also matching any other rule with a lower id than 
111111.

So it might be that you exclude some snort messages you'd actually like to be 
notified about.

On Wed, Mar 10, 2010 at 9:59 PM, Doug Burks 
<[email protected]<mailto:[email protected]>> wrote:
The decoder puts "snort" in program_name.  Perhaps <match> doesn't
apply to program_name.  What happens if you use the program_name line
from my rule and NO match line?
Doug

Reply via email to