That's too bad. Maintaining that rule with about 100 hosts names will
be too much work to be feasible, so I don't think I have a choice but to
ignore the rule altogether.
At least I don't have to keep banging my head on this problem anymore.
Thanks for your help.
Lars
On 3/4/2011 3:44 PM, Jeremy Lee wrote:
If you need to enter multiple hostnames, the delimiter is "|"
Let us know what you find.
On Fri, Mar 4, 2011 at 3:39 PM, Jeremy Lee <[email protected]
<mailto:[email protected]>> wrote:
Not sure what you would modify in decoder.xml to get the 5100/5113
rules to pickup source IP... Because it seems like the 5100 base
rule is not relying on a decoder but rather program_name - in this
case "^kernel"
In this scenario, I *think* you may need to utilize <hostname>
(what I had suggested in your other thread). The drawback is that
you'll have to add a long list of hostnames... because I'm
assuming this is for all those Linux boxes you're monitoring, right?
I'm not sure if you can use regex in the <hostname> attribute but
it's not difficult to test. Especially with ossec-logtest.
On Fri, Mar 4, 2011 at 3:24 PM, Lars Oberg <[email protected]
<mailto:[email protected]>> wrote:
Hi Dan,
Thanks for clarifying that. If I understand you correctly:
even though the alert log shows the IP address, I cannot match
on it using RegEx since it is not part of the actual message
body from syslog.
Is there another way to suppress these e-mails, or do I have
to mess with the decoder, so that it decodes the source IP?
Lars
On 3/4/2011 2:59 PM, dan (ddp) wrote:
Hi Lars,
On Fri, Mar 4, 2011 at 5:54 PM, Lars
Oberg<[email protected]
<mailto:[email protected]>> wrote:
Actually, it does - I tested the RegEx against the
email alert, and it
matches. But I tested with PCRE regex. Is there a
different flavor regex I
need to use?
The OSSEC regex. http://www.ossec.net/doc/syntax/regex.html
Also, if the regex is not correct, how come the other
rule (100201) fires?
100201 Deals with the log message: "ossec: Agent started:
'785->10.1.3.4'."
That log message contains an IP address.
100200 deals with the log message: "Mar 4 12:47:55 l785
kernel:
Kernel log daemon terminating."
That log message does not contain an IP address.
On 3/4/2011 2:05 PM, dan (ddp) wrote:
The log message in 5113 does not appear to contain
an IP address:
"Mar 4 12:47:55 l785 kernel: Kernel log daemon
terminating."
A regex for an IP would not match that log message.
On Fri, Mar 4, 2011 at 4:57 PM, Lars
Oberg<[email protected]
<mailto:[email protected]>> wrote:
I have a rule for which I cannot seem to
disable the email alerts. Since
SrcIp is not decoded for this rule, I am using
a regex. Below is my
local_rules.xml file (only 2 rules). The rule
that doesn't fire is
100200,
but the strange thing is that the rule below
it (100201) is firing just
fine, use the exact same regex to match on the
IP address of the
workstation
I'm testing on.
This is very confusing to me, but I am new to
ossec, so I am hopefully
just
overlooking something simple.
Below is also the e-mail notification I am
trying to suppress as well as
the
contents of the alert log.
What am I missing?
----- local_rules.xml -----
<group name="local,syslog,">
<rule id="100200" level="2">
<if_sid>5113</if_sid>
<regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex>
<options>no_email_alert</options>
<description>No e-mail alerts for work
stations shutting
down.</description>
</rule>
<rule id="100201" level="2">
<if_sid>503</if_sid>
<regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex>
<options>no_email_alert</options>
<description>No email alerts when work
stations start up.</description>
</rule>
</group> <!-- SYSLOG,LOCAL -->
----- Email -----
OSSEC HIDS Notification.
2011 Mar 04 12:47:56
Received From: (785) 10.1.3.4->/var/log/messages
Rule: 5113 fired (level 7) -> "System is
shutting down."
Portion of the log(s):
Mar 4 12:47:55 l785 kernel: Kernel log daemon
terminating.
--END OF NOTIFICATION
----- Alert log (notice that 5113 fires,
instead of 100200) -----
** Alert 1299272104.152207: mail -
syslog,linuxkernel,system_shutdown,
2011 Mar 04 12:55:04 (785)
10.1.3.4->/var/log/messages
Rule: 5113 (level 7) -> 'System is shutting
down.'
Src IP: (none)
User: (none)
Mar 4 12:55:03 l785 kernel: Kernel log daemon
terminating.
** Alert 1299272227.153206: - local,syslog,
2011 Mar 04 12:57:07 (785) 10.1.3.4->ossec
Rule: 100201 (level 2) -> 'No email alerts
when POS stations start up.'
Src IP: (none)
User: (none)
ossec: Agent started: '785->10.1.3.4'.
