I have the following "whitelist" rule that is still producing email
alerts, in local_rules.xml
<group name="web,accesslog,apache,">
<rule id="200004" level="0">
<srcip>1.2.3.4</srcip>
<regex>www\.example\.com/v9/windowsupdate/</regex>
<description>X is asking for Windows updates?</description>
</rule>
</group>
$ grep -1 local_rules ossec.conf
<include>attack_rules.xml</include>
<include>local_rules.xml</include>
</rules>
$
I have verified that IP 1.2.3.4 is indeed valid and showing up the the
Apache log, and I've added the relevant Apache log to ossec.conf via
(and restarted ossec):
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/domain.com-access_log</location>
</localfile>
Instead of <regex> I've also tried simply:
<match>www.example.com/v9/windowsupdate/</match>
... and:
<url>www.example.com/v9/windowsupdate/</url>
I've also tried removing the <srcip> line, and I've tried all
combinations of:
<group name="web,accesslog,">
<group name="apache,">
<group name="syslog,">
<group name="local,web,accesslog,apache,">
And numerous other combinations.
The access_log line looks like this:
1.2.3.4 - - [13/Apr/2010:16:26:40 -0400] "GET
http://www.example.com/v9/windowsupdate/redir/muv4wuredir.cab?1004132022
HTTP/1.1" 404 307 "-" "Windows-Update-Agent"
I've read these:
http://www.ossec.net/wiki/UserRules
http://www.ossec.net/main/manual/configuration-options/
For the life of me I can't figure out what I'm doing wrong. Thank you
for any help!
-Brian
--
To unsubscribe, reply using "remove me" as the subject.
