Hi, Look at the definition of the event. In case that it says "mail" in the definition, the alert will be sent independently of the level defined in the local_rules.xml.
Regards,
________________________________
Ricardo Marín Vinuesa
Consultor
Consultant
GMV SOLUCIONES
GLOBALES INTERNET, S.A.
Balmes 268-270, 5ª Planta
E-08006 Barcelona
Tel. +34 93 272 18 48
Fax +34 93 215 61 87
www.gmv-sgi.com
www.gmv.com
-----Mensaje original-----
De: [email protected] [mailto:[email protected]] En
nombre de Muraleedaran Kanapathy
Enviado el: miércoles, 07 de julio de 2010 11:31
Para: [email protected]
Asunto: RE: [ossec-list] AVOIDING E-MAIL ALERT AND IGNORING LOGS
Hi
Thanks a lot for the reply.
I have add the below text at bottom of the local_rules.xml and restarted the
ossec, but still I can see the alerts
<rule id="100033" level="0">
<if_sid>18105</if_sid>
<match>cqmghost</match>
<description>Events to be ignored</description>
</rule>
The message logged in alerts.log is
****************************************************************************
** Alert 1278494706.28385260: - windows,
2010 Jul 07 05:25:06 10.0.228.10->/var/log/messages
Rule: 18105 (level 4) -> 'Windows audit failure event.'
Src IP: (none)
User: (none)
Jul 7 12:23:10 x.x.x.x security[failure] 861 NT AUTHORITY\SYSTEM The
Windows Firewall has detected an application listeninfor incoming
traffic.Name: -Path:
C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exeProcess identifier:
2968User account: SYSTEMUser domain: NT AUTHORITYService: YesRPC server:
NoIP version: IPv4IP protocol: UDPPort number: 3935Allowed: NoUser notified:
No
****************************************************************************
Best regards,
Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department
Voice +966(1) 288-8888 ext 1422 | Fax +966(1) 288-8899 ext 1422
Integrated Networks | Faisaliah Tower | Level 7A |
PO Box 53553, Riyadh 11593, KSA | GMT +3 |
Email [email protected]
Disclaimer: This electronic mail message contains information that (a) is or
may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE
PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of
the Addressee(s) named herein. If you are not the intended recipient, an
addressee, or the person responsible for delivering this to an addressee,
you are hereby notified that reading, using, copying, or distributing any
part of this message is strictly prohibited. If you have received this
electronic mail message in error, please contact us immediately and take the
steps necessary to delete the message completely from your computer system.
Unless explicitly attributed, the opinions expressed in this message do not
necessarily represent the official position or opinions of Integrated
Networks LLC., whilst all care has been taken, Integrated Networks LLC.
disclaims all liability for loss or damage to person or property arising
from this message being infected by computer virus or any type of
contamination.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of dan (ddp)
Sent: Tuesday, July 06, 2010 6:07 PM
To: [email protected]
Subject: Re: [ossec-list] AVOIDING E-MAIL ALERT AND IGNORING LOGS
If you want to ignore these events, set them to level 0.
On Tue, Jul 6, 2010 at 9:43 AM, Muraleedaran Kanapathy
<[email protected]> wrote:
>
> Hi All
>
>
>
> I am trying to ignore some specific message to be seen in the OSSEC web
real time monitoring, and I have configured the local_rules.xml as follows
but still I can see the messages.
>
>
>
> Requirement: - To hide any messages with cqmghost.exe with level mentioned
as below to not to be logged in real time monitoring
>
> The message logged is
>
>
>
> Jul 6 15:42:00 x.x.x.x security[failure] 861 NT AUTHORITY\SYSTEM The
Windows Firewall has detected an application listening for incoming traffic.
Name: - Path: C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe Process
identifier: 2968 User account: SYSTEM User domain: NT AUTHORITY Service: Yes
RPC server: No IP version: IPv4 IP protocol: UDP Port number: 3690 Allowed:
No User notified: No Jul 6 15:42:00 10.0.228.10 security[failure] 861 NT
AUTHORITY\SYSTEM The Windows Firewall
>
>
>
>
>
>
>
> <rule id="100033" level="4">
>
> <if_sid>18105</if_sid>
>
> <match>cqmghost.exe</match>
>
> <description>Events to be ignored</description>
>
> </rule>
>
>
>
> <rule id="100034" level="10" frequency="$MS_FREQ" timeframe="240">
>
> <if_sid>18153</if_sid>
>
> <match>cqmghost.exe</match>
>
> <description>Events to be ignored</description>
>
> </rule>
>
>
>
>
>
> Also I want to hide the e-mail alert for these events and my config look
like this
>
>
>
> <rule id="100031" level="4" >
>
> <if_sid>18105</if_sid>
>
> <regex>cqmghost.exe</regex>
>
> <options>no_email_alert</options>
>
> <description>Windows audit failure event.</description>
>
> </rule>
>
>
>
> <rule id="100032" level="10" frequency="$MS_FREQ" timeframe="240">
>
> <if_sid>18153</if_sid>
>
> <regex>cqmghost.exe</regex>
>
> <options>no_email_alert</options>
>
> <description>Multiple Windows audit failure events.</description>
>
> </rule>
>
>
>
> Would appreciate if somebody could help me to write the correct rule
>
>
>
>
>
> Best regards,
>
>
>
> Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department
>
> Voice +966(1) 2888136 | Fax +966(1) 288-8899 ext 1422
> Integrated Networks | Faisaliah Tower | Level 7A |
>
> PO Box 53553, Riyadh 11593, KSA | GMT +3 |
>
> Email [email protected]
>
> Disclaimer: This electronic mail message contains information that (a) is
or may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR
OTHERWISE PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the
use of the Addressee(s) named herein. If you are not the intended recipient,
an addressee, or the person responsible for delivering this to an addressee,
you are hereby notified that reading, using, copying, or distributing any
part of this message is strictly prohibited. If you have received this
electronic mail message in error, please contact us immediately and take the
steps necessary to delete the message completely from your computer system.
Unless explicitly attributed, the opinions expressed in this message do not
necessarily represent the official position or opinions of Integrated
Networks LLC., whilst all care has been taken, Integrated Networks LLC.
disclaims all liability for loss or damage to person or property arising
from this message being infected by computer virus or any type of
contamination.
>
>
smime.p7s
Description: S/MIME cryptographic signature
