Not sure what you would modify in decoder.xml to get the 5100/5113 rules to pickup source IP... Because it seems like the 5100 base rule is not relying on a decoder but rather program_name - in this case "^kernel"
In this scenario, I *think* you may need to utilize <hostname> (what I had suggested in your other thread). The drawback is that you'll have to add a long list of hostnames... because I'm assuming this is for all those Linux boxes you're monitoring, right? I'm not sure if you can use regex in the <hostname> attribute but it's not difficult to test. Especially with ossec-logtest. On Fri, Mar 4, 2011 at 3:24 PM, Lars Oberg <[email protected]> wrote: > Hi Dan, > > Thanks for clarifying that. If I understand you correctly: even though the > alert log shows the IP address, I cannot match on it using RegEx since it is > not part of the actual message body from syslog. > > Is there another way to suppress these e-mails, or do I have to mess with > the decoder, so that it decodes the source IP? > > Lars > > > > On 3/4/2011 2:59 PM, dan (ddp) wrote: > >> Hi Lars, >> >> On Fri, Mar 4, 2011 at 5:54 PM, Lars Oberg<[email protected]> >> wrote: >> >>> Actually, it does - I tested the RegEx against the email alert, and it >>> matches. But I tested with PCRE regex. Is there a different flavor >>> regex I >>> need to use? >>> >>> The OSSEC regex. http://www.ossec.net/doc/syntax/regex.html >> >> Also, if the regex is not correct, how come the other rule (100201) >>> fires? >>> >>> 100201 Deals with the log message: "ossec: Agent started: >> '785->10.1.3.4'." >> That log message contains an IP address. >> >> 100200 deals with the log message: "Mar 4 12:47:55 l785 kernel: >> Kernel log daemon terminating." >> That log message does not contain an IP address. >> >> On 3/4/2011 2:05 PM, dan (ddp) wrote: >>> >>>> The log message in 5113 does not appear to contain an IP address: >>>> "Mar 4 12:47:55 l785 kernel: Kernel log daemon terminating." >>>> >>>> A regex for an IP would not match that log message. >>>> >>>> On Fri, Mar 4, 2011 at 4:57 PM, Lars Oberg<[email protected]> >>>> wrote: >>>> >>>>> I have a rule for which I cannot seem to disable the email alerts. >>>>> Since >>>>> SrcIp is not decoded for this rule, I am using a regex. Below is my >>>>> local_rules.xml file (only 2 rules). The rule that doesn't fire is >>>>> 100200, >>>>> but the strange thing is that the rule below it (100201) is firing just >>>>> fine, use the exact same regex to match on the IP address of the >>>>> workstation >>>>> I'm testing on. >>>>> >>>>> This is very confusing to me, but I am new to ossec, so I am hopefully >>>>> just >>>>> overlooking something simple. >>>>> >>>>> Below is also the e-mail notification I am trying to suppress as well >>>>> as >>>>> the >>>>> contents of the alert log. >>>>> >>>>> What am I missing? >>>>> >>>>> >>>>> ----- local_rules.xml ----- >>>>> <group name="local,syslog,"> >>>>> >>>>> <rule id="100200" level="2"> >>>>> <if_sid>5113</if_sid> >>>>> <regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex> >>>>> <options>no_email_alert</options> >>>>> <description>No e-mail alerts for work stations shutting >>>>> down.</description> >>>>> </rule> >>>>> >>>>> <rule id="100201" level="2"> >>>>> <if_sid>503</if_sid> >>>>> <regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex> >>>>> <options>no_email_alert</options> >>>>> <description>No email alerts when work stations start up.</description> >>>>> </rule> >>>>> >>>>> </group> <!-- SYSLOG,LOCAL --> >>>>> >>>>> >>>>> ----- Email ----- >>>>> OSSEC HIDS Notification. >>>>> 2011 Mar 04 12:47:56 >>>>> >>>>> Received From: (785) 10.1.3.4->/var/log/messages >>>>> Rule: 5113 fired (level 7) -> "System is shutting down." >>>>> Portion of the log(s): >>>>> >>>>> Mar 4 12:47:55 l785 kernel: Kernel log daemon terminating. >>>>> >>>>> --END OF NOTIFICATION >>>>> >>>>> >>>>> >>>>> ----- Alert log (notice that 5113 fires, instead of 100200) ----- >>>>> ** Alert 1299272104.152207: mail - syslog,linuxkernel,system_shutdown, >>>>> 2011 Mar 04 12:55:04 (785) 10.1.3.4->/var/log/messages >>>>> Rule: 5113 (level 7) -> 'System is shutting down.' >>>>> Src IP: (none) >>>>> User: (none) >>>>> Mar 4 12:55:03 l785 kernel: Kernel log daemon terminating. >>>>> >>>>> >>>>> ** Alert 1299272227.153206: - local,syslog, >>>>> 2011 Mar 04 12:57:07 (785) 10.1.3.4->ossec >>>>> Rule: 100201 (level 2) -> 'No email alerts when POS stations start >>>>> up.' >>>>> Src IP: (none) >>>>> User: (none) >>>>> ossec: Agent started: '785->10.1.3.4'. >>>>> >>>>> >>>>> >>>>> >>>>> >>> >
