Or maybe try modifying the decoder.xml file to properly read the source IP?
On Fri, Mar 4, 2011 at 7:16 AM, Nate Woodward < [email protected]> wrote: > Maybe something like... > > <rule id="100201" level="2"> > <if_sid>503</if_sid> > <regex>Agent started: '\S+->10.1.1.\d+'</regex> > <options>no_email_alert</options> > <description>No email alerts when workstations start up.</description> > </rule> > > ------------------------------ > *From:* Lars Oberg [mailto:[email protected]] > *Sent:* Friday, March 04, 2011 12:07 AM > *To:* [email protected] > *Subject:* Re: [ossec-list] Preventing e-mail alerts for certain hosts/IPs > > I have one ossec server that should monitor our whole network, but > ignore certain alarms for machines on certain subnets. The first thing I > tried was using only srcip, but when that did not help, I tried match and > regex as well, to no avail. > > As far as I can tell , the source IP is not decoded by this rule (503 - one > of the official ossec rules), so srcip cannot be used. > > I guess I could modify the official ossec rules instead of trying to > override from local_rules.xml, but I rather not since it makes it more > difficult to update in the future. > > A solution to this would be greatly appreciated! > > > On 3/3/2011 7:41 PM, Jeremy Lee wrote: > > Ah I didn't realize at first that you were trying to ignore an entire > subnet. It's making more sense now. So the machine actually reporting the > alert is monitoring the subnet? > > Did you reference this? > http://www.ossec.net/wiki/Know_How:Ignore_Rules#Ignoring_a_specific_IP > > Maybe try with just srcip and with just match but not both together. > > > > On Thu, Mar 3, 2011 at 5:45 PM, Lars Oberg <[email protected]> wrote: > >> Okay just tried that, but did not help (and hostname would've been >> cumbersome to use to specify a whole subnet). >> >> Other suggestions? I really need a solution to this. >> >> >> >> On 3/3/2011 5:10 PM, Jeremy Lee wrote: >> >> try using the <hostname> attribute instead of match and srcip. >> >> On Thu, Mar 3, 2011 at 4:19 PM, Lars <[email protected]> wrote: >> >>> I just installed ossec for the first time, and I I'm getting certain e- >>> mail alerts that I cannot seem to figure out how to stop. >>> >>> ------ Here is one of the alerts: >>> OSSEC HIDS Notification. >>> 2011 Mar 03 13:46:25 >>> >>> Received From: (pos-vm) 10.1.1.152->ossec >>> Rule: 503 fired (level 3) -> "Ossec agent started." >>> Portion of the log(s): >>> >>> ossec: Agent started: 'pos-vm->10.1.1.152'. >>> >>> >>> >>> --END OF NOTIFICATION >>> >>> ------ Here is the rule I added to local_rules.xml: >>> <rule id="100201" level="2"> >>> <if_sid>503</if_sid> >>> <match>10.1.1.152</match> >>> <srcip>10.1.1.152</srcip> >>> <options>no_email_alert</options> >>> <description>No e-mail alerts when work stations start up.</ >>> description> >>> </rule> >>> >>> I have restarted ossec on the server and there are no error messages >>> or warnings, but when I reboot 10.1.1.152, I still get the alert e- >>> mail. I originally tried with srcip, but since that field isn't >>> decoded by this rule, I also added match, but that didn't work either >>> (and what I really need is probably regex, since I need to exclude a >>> large number of workstations). >>> >>> Some background: I have about 100 Linux workstations that are only >>> used day-time, so they are shut down every evening and turned back on >>> again every morning. These are perfectly normal events, and I do not >>> want to get flooded with e-mails every time it happens. >>> >>> ------ Here is an entry from the alert log: >>> │** Alert 1299196351.188961: mail - ossec, >>> │2011 Mar 03 15:52:31 (pos-vm) 10.1.1.152->ossec >>> │Rule: 503 (level 3) -> 'Ossec agent started.' >>> │Src IP: (none) >>> │User: (none) >>> │ossec: Agent started: 'pos-vm->10.1.1.152'. >>> >>> What do I need to do to solve this? >>> >>> Thanks, >>> Lars >> >> >> >> > >
