Hi Thanks it worked,
It was a file edit issue because there was a comment placed accidentally , when I removed it , everything started working. Best regards, Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department Voice +966(1) 288-8888 ext 1422 | Fax +966(1) 288-8899 ext 1422 Integrated Networks | Faisaliah Tower | Level 7A | PO Box 53553, Riyadh 11593, KSA | GMT +3 | Email [email protected] Disclaimer: This electronic mail message contains information that (a) is or may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the Addressee(s) named herein. If you are not the intended recipient, an addressee, or the person responsible for delivering this to an addressee, you are hereby notified that reading, using, copying, or distributing any part of this message is strictly prohibited. If you have received this electronic mail message in error, please contact us immediately and take the steps necessary to delete the message completely from your computer system. Unless explicitly attributed, the opinions expressed in this message do not necessarily represent the official position or opinions of Integrated Networks LLC., whilst all care has been taken, Integrated Networks LLC. disclaims all liability for loss or damage to person or property arising from this message being infected by computer virus or any type of contamination. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Wednesday, July 07, 2010 7:33 PM To: [email protected] Subject: Re: [ossec-list] AVOIDING E-MAIL ALERT AND IGNORING LOGS Did you restart the ossec server after adding that rule? It works for me. <rule id="111111" level="0"> <if_sid>18105</if_sid> <match>cqmghost</match> <description>Ignore</description> </rule> ossec-logtest output: **Phase 1: Completed pre-decoding. full event: 'Jul 7 12:23:10 x.x.x.x security[failure] 861 NT AUTHORITY\SYSTEM The Windows Firewall has detected an application listeninfor incoming traffic.Name: -Path: C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exeProcess identifier: 2968User account: SYSTEMUser domain: NT AUTHORITYService: YesRPC server: NoIP version: IPv4IP protocol: UDPPort number: 3935Allowed: NoUser notified: No' hostname: 'x.x.x.x' program_name: '(null)' log: 'security[failure] 861 NT AUTHORITY\SYSTEM The Windows Firewall has detected an application listeninfor incoming traffic.Name: -Path: C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exeProcess identifier: 2968User account: SYSTEMUser domain: NT AUTHORITYService: YesRPC server: NoIP version: IPv4IP protocol: UDPPort number: 3935Allowed: NoUser notified: No' **Phase 2: Completed decoding. decoder: 'windows-ntsyslog' extra_data: 'security' status: 'failure' id: '861' **Phase 3: Completed filtering (rules). Rule id: '111111' Level: '0' Description: 'Ignore' On Wed, Jul 7, 2010 at 5:30 AM, Muraleedaran Kanapathy <[email protected]> wrote: > Hi > > Thanks a lot for the reply. > > I have add the below text at bottom of the local_rules.xml and restarted the > ossec, but still I can see the alerts > > <rule id="100033" level="0"> > <if_sid>18105</if_sid> > <match>cqmghost</match> > <description>Events to be ignored</description> > </rule> > > The message logged in alerts.log is > > **************************************************************************** > ** Alert 1278494706.28385260: - windows, > 2010 Jul 07 05:25:06 10.0.228.10->/var/log/messages > Rule: 18105 (level 4) -> 'Windows audit failure event.' > Src IP: (none) > User: (none) > Jul 7 12:23:10 x.x.x.x security[failure] 861 NT AUTHORITY\SYSTEM The Windows > Firewall has detected an application listeninfor incoming traffic.Name: > -Path: C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exeProcess identifier: > 2968User account: SYSTEMUser domain: NT AUTHORITYService: YesRPC server: NoIP > version: IPv4IP protocol: UDPPort number: 3935Allowed: NoUser notified: No > **************************************************************************** > > > Best regards, > > Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department > Voice +966(1) 288-8888 ext 1422 | Fax +966(1) 288-8899 ext 1422 > Integrated Networks | Faisaliah Tower | Level 7A | > PO Box 53553, Riyadh 11593, KSA | GMT +3 | > Email [email protected] >
