Maybe something like... <rule id="100201" level="2"> <if_sid>503</if_sid> <regex>Agent started: '\S+->10.1.1.\d+'</regex> <options>no_email_alert</options> <description>No email alerts when workstations start up.</description> </rule>
_____ From: Lars Oberg [mailto:[email protected]] Sent: Friday, March 04, 2011 12:07 AM To: [email protected] Subject: Re: [ossec-list] Preventing e-mail alerts for certain hosts/IPs I have one ossec server that should monitor our whole network, but ignore certain alarms for machines on certain subnets. The first thing I tried was using only srcip, but when that did not help, I tried match and regex as well, to no avail. As far as I can tell , the source IP is not decoded by this rule (503 - one of the official ossec rules), so srcip cannot be used. I guess I could modify the official ossec rules instead of trying to override from local_rules.xml, but I rather not since it makes it more difficult to update in the future. A solution to this would be greatly appreciated! On 3/3/2011 7:41 PM, Jeremy Lee wrote: Ah I didn't realize at first that you were trying to ignore an entire subnet. It's making more sense now. So the machine actually reporting the alert is monitoring the subnet? Did you reference this? http://www.ossec.net/wiki/Know_How:Ignore_Rules#Ignoring_a_s pecific_IP Maybe try with just srcip and with just match but not both together. On Thu, Mar 3, 2011 at 5:45 PM, Lars Oberg <[email protected]> wrote: Okay just tried that, but did not help (and hostname would've been cumbersome to use to specify a whole subnet). Other suggestions? I really need a solution to this. On 3/3/2011 5:10 PM, Jeremy Lee wrote: try using the <hostname> attribute instead of match and srcip. On Thu, Mar 3, 2011 at 4:19 PM, Lars <[email protected]> wrote: I just installed ossec for the first time, and I I'm getting certain e- mail alerts that I cannot seem to figure out how to stop. ------ Here is one of the alerts: OSSEC HIDS Notification. 2011 Mar 03 13:46:25 Received From: (pos-vm) 10.1.1.152->ossec Rule: 503 fired (level 3) -> "Ossec agent started." Portion of the log(s): ossec: Agent started: 'pos-vm->10.1.1.152'. --END OF NOTIFICATION ------ Here is the rule I added to local_rules.xml: <rule id="100201" level="2"> <if_sid>503</if_sid> <match>10.1.1.152</match> <srcip>10.1.1.152</srcip> <options>no_email_alert</options> <description>No e-mail alerts when work stations start up.</ description> </rule> I have restarted ossec on the server and there are no error messages or warnings, but when I reboot 10.1.1.152, I still get the alert e- mail. I originally tried with srcip, but since that field isn't decoded by this rule, I also added match, but that didn't work either (and what I really need is probably regex, since I need to exclude a large number of workstations). Some background: I have about 100 Linux workstations that are only used day-time, so they are shut down every evening and turned back on again every morning. These are perfectly normal events, and I do not want to get flooded with e-mails every time it happens. ------ Here is an entry from the alert log: │** Alert 1299196351.188961: mail - ossec, │2011 Mar 03 15:52:31 (pos-vm) 10.1.1.152->ossec │Rule: 503 (level 3) -> 'Ossec agent started.' │Src IP: (none) │User: (none) │ossec: Agent started: 'pos-vm->10.1.1.152'. What do I need to do to solve this? Thanks, Lars
