Hi Lars, On Fri, Mar 4, 2011 at 5:54 PM, Lars Oberg <[email protected]> wrote: > Actually, it does - I tested the RegEx against the email alert, and it > matches. But I tested with PCRE regex. Is there a different flavor regex I > need to use? >
The OSSEC regex. http://www.ossec.net/doc/syntax/regex.html > Also, if the regex is not correct, how come the other rule (100201) fires? > 100201 Deals with the log message: "ossec: Agent started: '785->10.1.3.4'." That log message contains an IP address. 100200 deals with the log message: "Mar 4 12:47:55 l785 kernel: Kernel log daemon terminating." That log message does not contain an IP address. > On 3/4/2011 2:05 PM, dan (ddp) wrote: >> >> The log message in 5113 does not appear to contain an IP address: >> "Mar 4 12:47:55 l785 kernel: Kernel log daemon terminating." >> >> A regex for an IP would not match that log message. >> >> On Fri, Mar 4, 2011 at 4:57 PM, Lars Oberg<[email protected]> wrote: >>> >>> I have a rule for which I cannot seem to disable the email alerts. Since >>> SrcIp is not decoded for this rule, I am using a regex. Below is my >>> local_rules.xml file (only 2 rules). The rule that doesn't fire is >>> 100200, >>> but the strange thing is that the rule below it (100201) is firing just >>> fine, use the exact same regex to match on the IP address of the >>> workstation >>> I'm testing on. >>> >>> This is very confusing to me, but I am new to ossec, so I am hopefully >>> just >>> overlooking something simple. >>> >>> Below is also the e-mail notification I am trying to suppress as well as >>> the >>> contents of the alert log. >>> >>> What am I missing? >>> >>> >>> ----- local_rules.xml ----- >>> <group name="local,syslog,"> >>> >>> <rule id="100200" level="2"> >>> <if_sid>5113</if_sid> >>> <regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex> >>> <options>no_email_alert</options> >>> <description>No e-mail alerts for work stations shutting >>> down.</description> >>> </rule> >>> >>> <rule id="100201" level="2"> >>> <if_sid>503</if_sid> >>> <regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex> >>> <options>no_email_alert</options> >>> <description>No email alerts when work stations start up.</description> >>> </rule> >>> >>> </group> <!-- SYSLOG,LOCAL --> >>> >>> >>> ----- Email ----- >>> OSSEC HIDS Notification. >>> 2011 Mar 04 12:47:56 >>> >>> Received From: (785) 10.1.3.4->/var/log/messages >>> Rule: 5113 fired (level 7) -> "System is shutting down." >>> Portion of the log(s): >>> >>> Mar 4 12:47:55 l785 kernel: Kernel log daemon terminating. >>> >>> --END OF NOTIFICATION >>> >>> >>> >>> ----- Alert log (notice that 5113 fires, instead of 100200) ----- >>> ** Alert 1299272104.152207: mail - syslog,linuxkernel,system_shutdown, >>> 2011 Mar 04 12:55:04 (785) 10.1.3.4->/var/log/messages >>> Rule: 5113 (level 7) -> 'System is shutting down.' >>> Src IP: (none) >>> User: (none) >>> Mar 4 12:55:03 l785 kernel: Kernel log daemon terminating. >>> >>> >>> ** Alert 1299272227.153206: - local,syslog, >>> 2011 Mar 04 12:57:07 (785) 10.1.3.4->ossec >>> Rule: 100201 (level 2) -> 'No email alerts when POS stations start up.' >>> Src IP: (none) >>> User: (none) >>> ossec: Agent started: '785->10.1.3.4'. >>> >>> >>> >>> > >
