Re: [ossec-list] Problem disabling email alerts for a rule

Fri, 04 Mar 2011 14:57:20 -0800

Actually, it does - I tested the RegEx against the email alert, and it matches. But I tested with PCRE regex. Is there a different flavor regex I need to use? 

Also, if the regex is not correct, how come the other rule (100201) fires?

On 3/4/2011 2:05 PM, dan (ddp) wrote:

The log message in 5113 does not appear to contain an IP address:
"Mar  4 12:47:55 l785 kernel: Kernel log daemon terminating."

A regex for an IP would not match that log message.

On Fri, Mar 4, 2011 at 4:57 PM, Lars Oberg<[email protected]>  wrote:

I have a rule for which I cannot seem to disable the email alerts.  Since
SrcIp is not decoded for this rule, I am using a regex.  Below is my
local_rules.xml file (only 2 rules).  The rule that doesn't fire is 100200,
but the strange thing is that the rule below it (100201) is firing just
fine, use the exact same regex to match on the IP address of the workstation
I'm testing on.

This is very confusing to me, but I am new to ossec, so I am hopefully just
overlooking something simple.

Below is also the e-mail notification I am trying to suppress as well as the
contents of the alert log.

What am I missing?


----- local_rules.xml -----
<group name="local,syslog,">

<rule id="100200" level="2">
<if_sid>5113</if_sid>
<regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex>
<options>no_email_alert</options>
<description>No e-mail alerts for work stations shutting down.</description>
</rule>

<rule id="100201" level="2">
<if_sid>503</if_sid>
<regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex>
<options>no_email_alert</options>
<description>No email alerts when work stations start up.</description>
</rule>

</group>  <!-- SYSLOG,LOCAL -->


----- Email -----
OSSEC HIDS Notification.
2011 Mar 04 12:47:56

Received From: (785) 10.1.3.4->/var/log/messages
Rule: 5113 fired (level 7) ->  "System is shutting down."
Portion of the log(s):

Mar  4 12:47:55 l785 kernel: Kernel log daemon terminating.

  --END OF NOTIFICATION



----- Alert log (notice that 5113 fires, instead of 100200) -----
** Alert 1299272104.152207: mail  - syslog,linuxkernel,system_shutdown,
2011 Mar 04 12:55:04 (785) 10.1.3.4->/var/log/messages
Rule: 5113 (level 7) ->  'System is shutting down.'
Src IP: (none)
User: (none)
Mar  4 12:55:03 l785 kernel: Kernel log daemon terminating.


** Alert 1299272227.153206: - local,syslog,
2011 Mar 04 12:57:07 (785) 10.1.3.4->ossec
Rule: 100201 (level 2) ->  'No email alerts when POS stations start up.'
Src IP: (none)
User: (none)
ossec: Agent started: '785->10.1.3.4'.

Reply via email to