If you need to enter multiple hostnames, the delimiter is "|" Let us know what you find.
On Fri, Mar 4, 2011 at 3:39 PM, Jeremy Lee <[email protected]> wrote: > Not sure what you would modify in decoder.xml to get the 5100/5113 rules to > pickup source IP... Because it seems like the 5100 base rule is not relying > on a decoder but rather program_name - in this case "^kernel" > > In this scenario, I *think* you may need to utilize <hostname> (what I had > suggested in your other thread). The drawback is that you'll have to add a > long list of hostnames... because I'm assuming this is for all those Linux > boxes you're monitoring, right? > > I'm not sure if you can use regex in the <hostname> attribute but it's not > difficult to test. Especially with ossec-logtest. > > > > On Fri, Mar 4, 2011 at 3:24 PM, Lars Oberg <[email protected]> wrote: > >> Hi Dan, >> >> Thanks for clarifying that. If I understand you correctly: even though >> the alert log shows the IP address, I cannot match on it using RegEx since >> it is not part of the actual message body from syslog. >> >> Is there another way to suppress these e-mails, or do I have to mess with >> the decoder, so that it decodes the source IP? >> >> Lars >> >> >> >> On 3/4/2011 2:59 PM, dan (ddp) wrote: >> >>> Hi Lars, >>> >>> On Fri, Mar 4, 2011 at 5:54 PM, Lars Oberg<[email protected]> >>> wrote: >>> >>>> Actually, it does - I tested the RegEx against the email alert, and it >>>> matches. But I tested with PCRE regex. Is there a different flavor >>>> regex I >>>> need to use? >>>> >>>> The OSSEC regex. http://www.ossec.net/doc/syntax/regex.html >>> >>> Also, if the regex is not correct, how come the other rule (100201) >>>> fires? >>>> >>>> 100201 Deals with the log message: "ossec: Agent started: >>> '785->10.1.3.4'." >>> That log message contains an IP address. >>> >>> 100200 deals with the log message: "Mar 4 12:47:55 l785 kernel: >>> Kernel log daemon terminating." >>> That log message does not contain an IP address. >>> >>> On 3/4/2011 2:05 PM, dan (ddp) wrote: >>>> >>>>> The log message in 5113 does not appear to contain an IP address: >>>>> "Mar 4 12:47:55 l785 kernel: Kernel log daemon terminating." >>>>> >>>>> A regex for an IP would not match that log message. >>>>> >>>>> On Fri, Mar 4, 2011 at 4:57 PM, Lars Oberg<[email protected]> >>>>> wrote: >>>>> >>>>>> I have a rule for which I cannot seem to disable the email alerts. >>>>>> Since >>>>>> SrcIp is not decoded for this rule, I am using a regex. Below is my >>>>>> local_rules.xml file (only 2 rules). The rule that doesn't fire is >>>>>> 100200, >>>>>> but the strange thing is that the rule below it (100201) is firing >>>>>> just >>>>>> fine, use the exact same regex to match on the IP address of the >>>>>> workstation >>>>>> I'm testing on. >>>>>> >>>>>> This is very confusing to me, but I am new to ossec, so I am hopefully >>>>>> just >>>>>> overlooking something simple. >>>>>> >>>>>> Below is also the e-mail notification I am trying to suppress as well >>>>>> as >>>>>> the >>>>>> contents of the alert log. >>>>>> >>>>>> What am I missing? >>>>>> >>>>>> >>>>>> ----- local_rules.xml ----- >>>>>> <group name="local,syslog,"> >>>>>> >>>>>> <rule id="100200" level="2"> >>>>>> <if_sid>5113</if_sid> >>>>>> <regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex> >>>>>> <options>no_email_alert</options> >>>>>> <description>No e-mail alerts for work stations shutting >>>>>> down.</description> >>>>>> </rule> >>>>>> >>>>>> <rule id="100201" level="2"> >>>>>> <if_sid>503</if_sid> >>>>>> <regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex> >>>>>> <options>no_email_alert</options> >>>>>> <description>No email alerts when work stations start >>>>>> up.</description> >>>>>> </rule> >>>>>> >>>>>> </group> <!-- SYSLOG,LOCAL --> >>>>>> >>>>>> >>>>>> ----- Email ----- >>>>>> OSSEC HIDS Notification. >>>>>> 2011 Mar 04 12:47:56 >>>>>> >>>>>> Received From: (785) 10.1.3.4->/var/log/messages >>>>>> Rule: 5113 fired (level 7) -> "System is shutting down." >>>>>> Portion of the log(s): >>>>>> >>>>>> Mar 4 12:47:55 l785 kernel: Kernel log daemon terminating. >>>>>> >>>>>> --END OF NOTIFICATION >>>>>> >>>>>> >>>>>> >>>>>> ----- Alert log (notice that 5113 fires, instead of 100200) ----- >>>>>> ** Alert 1299272104.152207: mail - >>>>>> syslog,linuxkernel,system_shutdown, >>>>>> 2011 Mar 04 12:55:04 (785) 10.1.3.4->/var/log/messages >>>>>> Rule: 5113 (level 7) -> 'System is shutting down.' >>>>>> Src IP: (none) >>>>>> User: (none) >>>>>> Mar 4 12:55:03 l785 kernel: Kernel log daemon terminating. >>>>>> >>>>>> >>>>>> ** Alert 1299272227.153206: - local,syslog, >>>>>> 2011 Mar 04 12:57:07 (785) 10.1.3.4->ossec >>>>>> Rule: 100201 (level 2) -> 'No email alerts when POS stations start >>>>>> up.' >>>>>> Src IP: (none) >>>>>> User: (none) >>>>>> ossec: Agent started: '785->10.1.3.4'. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>> >> >
