I was using the example from the Ossec book "OSSEC HIDS Guide" on page
123 where they used the "!" for the <srcip> tag to say that if a source
IP didn't come from within the subnet then to alert. Was hoping to be
able to use the same logic with the <hostname> tag.
Here is the example from the book:
<rule id="100126" level="12">
<if_sid>100124</if_sid>
<group>authentication_failure</group>
<hostname>main_sys</hostname>
<srcip>!192.168.2.0/24</srcip>
<description>Severe SSHD password failure.</description>
</rule>
Is the book wrong? Or does that expression only work for the <srcip>
tag? I can use the <srcip> tag work if that is the case.
Thanks,
Patrick Swartz
UNIX Planning & Engineering (DSUSSE)
First Data
402-777-7337 desk
402-871-8981 cell
From: [email protected] [mailto:[email protected]]
On Behalf Of Assaf Flatto
Sent: Thursday, May 13, 2010 5:08 AM
To: ossec list
Subject: Re: [ossec-list] Rules and regular expressions
At the moment this logic is not implemented in OSSEC , and i found it
out when trying to do the same thing as you are .
I created a rule with that logic , only to see that it is not working .
I'd love to be told that i am wrong , as this will make the config and
rules easier to maintain - but AFAIK , the "!" nullifier option is not
with in the scope of the OSSEC rules loading logic .
Assaf
Swartz, Patrick H wrote:
>
> Hi All,
>
>
>
> Question about using the "!" in the local_rules.xml for the <hostname>
> tag, like the following...
>
>
>
> <!-- Testing excluding specific files from specific servers -->
>
> <rule id="100500" level="0">
>
> <if_sid>550, 551, 552</if_sid>
>
> <match>mdas</match>
>
> <match>sgsdas</match>
>
> <hostname>!sles10-docs</hostname> ---- thinking is that if any
> other server triggered with this rule the normal alert would take
> place, only on this server would the rule fire and the change be
ignored
>
> <description>Ignoring changes</description>
>
> </rule>
>
>
>
> We are using Ossec v2.0.
>
>
>
> Thank you,
>
>
>
> *_Patrick Swartz_**_
> _**/UNIX Planning & Engineering (DSUSSE)/*
>
> *First Data
> *402-777-7337 desk
> 402-871-8981 cell
>
>
>
>
>
>
------------------------------------------------------------------------
>
> *The information in this message may be proprietary and/or
> confidential, and protected from disclosure. If the reader of this
> message is not the intended recipient, or an employee or agent
> responsible for delivering this message to the intended recipient, you
> are hereby notified that any dissemination, distribution or copying of
> this communication is strictly prohibited. If you have received this
> communication in error, please notify First Data immediately by
> replying to this message and deleting it from your computer. *
>
--
Assaf Flatto
Linux System Administrator
No.9 | 6 Portal Way | London | W3 6RU |
T: +44 (0)20 88 96 8014 | M: +44 (0)75 3568 1067
I am doing a Charity Bike ride On the 27 of June for the
Capital to Coast Charity. Please help by Donating
http://www.justgiving.com/Lovefilm-capital-to-coast
________________________________
LOVEFiLM UK Limited is a company registered in England and Wales.
Registered Number: 06528297.
Registered Office: No.9, 6 Portal Way, London W3 6RU, United Kingdom.
This e-mail is confidential to the ordinary user of the e-mail address
to which it was
addressed. If you have received it in error, please delete it from your
system and notify
the sender immediately.
This email message has been delivered safely and archived online by
Mimecast.
For more information please visit http://www.mimecast.co.uk
________________________________
