I have one ossec server that should monitor our whole network, but
ignore certain alarms for machines on certain subnets. The first thing I
tried was using only srcip, but when that did not help, I tried match
and regex as well, to no avail.
As far as I can tell , the source IP is not decoded by this rule (503 -
one of the official ossec rules), so srcip cannot be used.
I guess I could modify the official ossec rules instead of trying to
override from local_rules.xml, but I rather not since it makes it more
difficult to update in the future.
A solution to this would be greatly appreciated!
On 3/3/2011 7:41 PM, Jeremy Lee wrote:
Ah I didn't realize at first that you were trying to ignore an entire
subnet. It's making more sense now. So the machine actually reporting
the alert is monitoring the subnet?
Did you reference this?
http://www.ossec.net/wiki/Know_How:Ignore_Rules#Ignoring_a_specific_IP
Maybe try with just srcip and with just match but not both together.
On Thu, Mar 3, 2011 at 5:45 PM, Lars Oberg <[email protected]
<mailto:[email protected]>> wrote:
Okay just tried that, but did not help (and hostname would've been
cumbersome to use to specify a whole subnet).
Other suggestions? I really need a solution to this.
On 3/3/2011 5:10 PM, Jeremy Lee wrote:
try using the <hostname> attribute instead of match and srcip.
On Thu, Mar 3, 2011 at 4:19 PM, Lars <[email protected]
<mailto:[email protected]>> wrote:
I just installed ossec for the first time, and I I'm getting
certain e-
mail alerts that I cannot seem to figure out how to stop.
------ Here is one of the alerts:
OSSEC HIDS Notification.
2011 Mar 03 13:46:25
Received From: (pos-vm) 10.1.1.152->ossec
Rule: 503 fired (level 3) -> "Ossec agent started."
Portion of the log(s):
ossec: Agent started: 'pos-vm->10.1.1.152'.
--END OF NOTIFICATION
------ Here is the rule I added to local_rules.xml:
<rule id="100201" level="2">
<if_sid>503</if_sid>
<match>10.1.1.152</match>
<srcip>10.1.1.152</srcip>
<options>no_email_alert</options>
<description>No e-mail alerts when work stations start up.</
description>
</rule>
I have restarted ossec on the server and there are no error
messages
or warnings, but when I reboot 10.1.1.152, I still get the
alert e-
mail. I originally tried with srcip, but since that field isn't
decoded by this rule, I also added match, but that didn't
work either
(and what I really need is probably regex, since I need to
exclude a
large number of workstations).
Some background: I have about 100 Linux workstations that are
only
used day-time, so they are shut down every evening and turned
back on
again every morning. These are perfectly normal events, and
I do not
want to get flooded with e-mails every time it happens.
------ Here is an entry from the alert log:
│** Alert 1299196351.188961: mail - ossec,
│2011 Mar 03 15:52:31 (pos-vm) 10.1.1.152->ossec
│Rule: 503 (level 3) -> 'Ossec agent started.'
│Src IP: (none)
│User: (none)
│ossec: Agent started: 'pos-vm->10.1.1.152'.
What do I need to do to solve this?
Thanks,
Lars
