I am pretty sure i can help u with this if u tell me what is the alert u got...ALL i need is the one line alert...sorry i cant get it from ur post i think the line is "Mar 4 12:47:55 l785 kernel: Kernel log daemon terminating. " plz confirm
If the above is the alert--2 things 1. Since u are using if_sid to check for the rule 5113 being fired I am sure u dont need a regex 2. All u need to do is route all 5113 alerts to 100200(or w/e ) So i suggest trying it with a if_sid , Description, and ur preferred rule level only Dont use regular expressions Let me know if i helped On Mar 4, 7:46 pm, Lars Oberg <[email protected]> wrote: > The host names are fixed, and I cannot change them. Yes, maybe someone > else will chime in with a solution... > > On 3/4/2011 4:39 PM, Jeremy Lee wrote: > > > There might be another way... I'm sure someone will chime in if they > > have an idea. I just can't think of anything else off the top of my > > head. If anything, there would have to be a way to grab it via the > > decoder. Actually, you might be able to use <regex> if you type in the > > actual hostname <regex>785</regex> - this wouldn't be much different > > than <hostname> however. Unless you add a common prefix to all your > > servers like "POS785" etc. Then maybe you could use a regex rule to > > filter based on <regex>POS*</regex> or something like that. My regex > > is off but you get the idea. > > > On Fri, Mar 4, 2011 at 4:20 PM, Lars Oberg <[email protected] > > <mailto:[email protected]>> wrote: > > > That's too bad. Maintaining that rule with about 100 hosts names > > will be too much work to be feasible, so I don't think I have a > > choice but to ignore the rule altogether. > > > At least I don't have to keep banging my head on this problem > > anymore. > > > Thanks for your help. > > > Lars > > > On 3/4/2011 3:44 PM, Jeremy Lee wrote: > >> If you need to enter multiple hostnames, the delimiter is "|" > > >> Let us know what you find. > > >> On Fri, Mar 4, 2011 at 3:39 PM, Jeremy Lee <[email protected] > >> <mailto:[email protected]>> wrote: > > >> Not sure what you would modify in decoder.xml to get the > >> 5100/5113 rules to pickup source IP... Because it seems like > >> the 5100 base rule is not relying on a decoder but rather > >> program_name - in this case "^kernel" > > >> In this scenario, I *think* you may need to utilize > >> <hostname> (what I had suggested in your other thread). The > >> drawback is that you'll have to add a long list of > >> hostnames... because I'm assuming this is for all those Linux > >> boxes you're monitoring, right? > > >> I'm not sure if you can use regex in the <hostname> attribute > >> but it's not difficult to test. Especially with ossec-logtest. > > >> On Fri, Mar 4, 2011 at 3:24 PM, Lars Oberg > >> <[email protected] <mailto:[email protected]>> wrote: > > >> Hi Dan, > > >> Thanks for clarifying that. If I understand you > >> correctly: even though the alert log shows the IP > >> address, I cannot match on it using RegEx since it is not > >> part of the actual message body from syslog. > > >> Is there another way to suppress these e-mails, or do I > >> have to mess with the decoder, so that it decodes the > >> source IP? > > >> Lars > > >> On 3/4/2011 2:59 PM, dan (ddp) wrote: > > >> Hi Lars, > > >> On Fri, Mar 4, 2011 at 5:54 PM, Lars > >> Oberg<[email protected] > >> <mailto:[email protected]>> wrote: > > >> Actually, it does - I tested the RegEx against > >> the email alert, and it > >> matches. But I tested with PCRE regex. Is there > >> a different flavor regex I > >> need to use? > > >> The OSSEC regex. > >> http://www.ossec.net/doc/syntax/regex.html > > >> Also, if the regex is not correct, how come the > >> other rule (100201) fires? > > >> 100201 Deals with the log message: "ossec: Agent > >> started: '785->10.1.3.4'." > >> That log message contains an IP address. > > >> 100200 deals with the log message: "Mar 4 12:47:55 > >> l785 kernel: > >> Kernel log daemon terminating." > >> That log message does not contain an IP address. > > >> On 3/4/2011 2:05 PM, dan (ddp) wrote: > > >> The log message in 5113 does not appear to > >> contain an IP address: > >> "Mar 4 12:47:55 l785 kernel: Kernel log > >> daemon terminating." > > >> A regex for an IP would not match that log > >> message. > > >> On Fri, Mar 4, 2011 at 4:57 PM, Lars > >> Oberg<[email protected] > >> <mailto:[email protected]>> wrote: > > >> I have a rule for which I cannot seem to > >> disable the email alerts. Since > >> SrcIp is not decoded for this rule, I am > >> using a regex. Below is my > >> local_rules.xml file (only 2 rules). The > >> rule that doesn't fire is > >> 100200, > >> but the strange thing is that the rule > >> below it (100201) is firing just > >> fine, use the exact same regex to match > >> on the IP address of the > >> workstation > >> I'm testing on. > > >> This is very confusing to me, but I am > >> new to ossec, so I am hopefully > >> just > >> overlooking something simple. > > >> Below is also the e-mail notification I > >> am trying to suppress as well as > >> the > >> contents of the alert log. > > >> What am I missing? > > >> ----- local_rules.xml ----- > >> <group name="local,syslog,"> > > >> <rule id="100200" level="2"> > >> <if_sid>5113</if_sid> > >> <regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex> > >> <options>no_email_alert</options> > >> <description>No e-mail alerts for work > >> stations shutting > >> down.</description> > >> </rule> > > >> <rule id="100201" level="2"> > >> <if_sid>503</if_sid> > >> <regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex> > >> <options>no_email_alert</options> > >> <description>No email alerts when work > >> stations start up.</description> > >> </rule> > > >> </group> <!-- SYSLOG,LOCAL --> > > >> ----- Email ----- > >> OSSEC HIDS Notification. > >> 2011 Mar 04 12:47:56 > > >> Received From: (785) > >> 10.1.3.4->/var/log/messages > >> Rule: 5113 fired (level 7) -> "System > >> is shutting down." > >> Portion of the log(s): > > >> Mar 4 12:47:55 l785 kernel: Kernel log > >> daemon terminating. > > >> --END OF NOTIFICATION > > >> ----- Alert log (notice that 5113 fires, > >> instead of 100200) ----- > >> ** Alert 1299272104.152207: mail - > >> syslog,linuxkernel,system_shutdown, > >> 2011 Mar 04 12:55:04 (785) > >> 10.1.3.4->/var/log/messages > >> Rule: 5113 (level 7) -> 'System is > >> shutting down.' > >> Src IP: (none) > >> User: (none) > >> Mar 4 12:55:03 l785 kernel: Kernel log > >> daemon terminating. > > >> ** Alert 1299272227.153206: - local,syslog, > >> 2011 Mar 04 12:57:07 (785) 10.1.3.4->ossec > >> Rule: 100201 (level 2) -> 'No email > >> alerts when POS stations start up.' > >> Src IP: (none) > >> User: (none) > >> ossec: Agent started: '785->10.1.3.4'.
