Re: [ossec-list] Re: Problem disabling email alerts for a rule

[Lars Oberg]

Hello Gutsy,

The problem is how to disable the email alerts for given IP subnets / 
ranges - not totally disable the alerts.  I have already totally 
disabled the alerts since I do not know how to do it by IP subnets.  
Please read my original e-mail.

Lars

On 3/8/2011 7:32 AM, Gurtaj Singh wrote:
Hey Lars,
I just looked into this
and this is all u need to do(try it and let me know if it works)

<group name="shut">
  <rule id="700200" level="5">
  <if_sid>5113</if_sid>
  <description>dont need this</description>
  </rule>
</group>
(------put above in ur local_rules.xml file--------------)
FYI: i suggest that u do this but there is another alternative to
this(which is sorta pro.xD)
What u can do is edit the real file where the 5113 rule is(I checked its
syslog_rules.xml) and make a small little bash script that will do this
change for u. So, if ever with a new update ur changes to syslog_rules
gets overwritten u can use the bash script to make that change again.
this way u can make rules for unknown stuff in local_rules.xml and not
repeat the stuff already assigned rules. Sounds more efficient but needs
some scripting.


On Mon, 2011-03-07 at 15:28 -0800, Lars Oberg wrote:
Ok, great.  Yes,  it is the "Kernel log daemon terminating" message:

This is the alert in the alert.log:
** Alert 1299259678.72480: mail  - syslog,linuxkernel,system_shutdown,
2011 Mar 04 09:27:58 (pos-vm) 10.1.1.152->/var/log/messages
Rule: 5113 (level 7) ->  'System is shutting down.'
Src IP: (none)
User: (none)
Mar  4 09:27:57 l807 kernel: Kernel log daemon terminating.

Here is the email:
OSSEC HIDS Notification.
2011 Mar 04 09:27:58

Received From: (pos-vm) 10.1.1.152->/var/log/messages
Rule: 5113 fired (level 7) ->  "System is shutting down."
Portion of the log(s):

Mar  4 09:27:57 l807 kernel: Kernel log daemon terminating.



  --END OF NOTIFICATION

Thanks,
Lars

On 3/7/2011 10:24 AM, gutsy gibbon wrote:
I am pretty sure i can help u with this if u tell me what is the alert
u got...ALL i need is the one line alert...sorry i cant get it from ur
post
i think the line is "Mar  4 12:47:55 l785 kernel: Kernel log daemon
terminating. "
plz confirm

If the above is the alert--2 things
1. Since u are using if_sid to check for the rule 5113 being fired I
am sure u dont need a regex
2. All u need to do is route all 5113 alerts to 100200(or w/e )
So i suggest trying it with a if_sid , Description, and ur preferred
rule level only
Dont use regular expressions
Let me know if i helped


On Mar 4, 7:46 pm, Lars Oberg<larsoberg...@gmail.com>  wrote:
The host names are fixed, and I cannot change them.  Yes, maybe someone
else will chime in with a solution...

On 3/4/2011 4:39 PM, Jeremy Lee wrote:

There might be another way... I'm sure someone will chime in if they
have an idea. I just can't think of anything else off the top of my
head. If anything, there would have to be a way to grab it via the
decoder. Actually, you might be able to use<regex>  if you type in the
actual hostname<regex>785</regex>  - this wouldn't be much different
than<hostname>  however. Unless you add a common prefix to all your
servers like "POS785" etc. Then maybe you could use a regex rule to
filter based on<regex>POS*</regex>  or something like that. My regex
is off but you get the idea.
On Fri, Mar 4, 2011 at 4:20 PM, Lars Oberg<larsoberg...@gmail.com
<mailto:larsoberg...@gmail.com>>  wrote:
     That's too bad.  Maintaining that rule with about 100 hosts names
     will be too much work to be feasible, so I don't think I have a
     choice but to ignore the rule altogether.
     At least I don't have to keep banging my head on this problem
     anymore.
     Thanks for your help.
     Lars
     On 3/4/2011 3:44 PM, Jeremy Lee wrote:
     If you need to enter multiple hostnames, the delimiter is "|"
     Let us know what you find.
     On Fri, Mar 4, 2011 at 3:39 PM, Jeremy Lee<jpl...@gmail.com
     <mailto:jpl...@gmail.com>>  wrote:
         Not sure what you would modify in decoder.xml to get the
         5100/5113 rules to pickup source IP... Because it seems like
         the 5100 base rule is not relying on a decoder but rather
         program_name - in this case "^kernel"
         In this scenario, I *think* you may need to utilize
         <hostname>  (what I had suggested in your other thread). The
         drawback is that you'll have to add a long list of
         hostnames... because I'm assuming this is for all those Linux
         boxes you're monitoring, right?
         I'm not sure if you can use regex in the<hostname>  attribute
         but it's not difficult to test. Especially with ossec-logtest.
         On Fri, Mar 4, 2011 at 3:24 PM, Lars Oberg
         <larsoberg...@gmail.com<mailto:larsoberg...@gmail.com>>  wrote:
             Hi Dan,
             Thanks for clarifying that.  If I understand you
             correctly: even though the alert log shows the IP
             address, I cannot match on it using RegEx since it is not
             part of the actual message body from syslog.
             Is there another way to suppress these e-mails, or do I
             have to mess with the decoder, so that it decodes the
             source IP?
             Lars
             On 3/4/2011 2:59 PM, dan (ddp) wrote:
                 Hi Lars,
                 On Fri, Mar 4, 2011 at 5:54 PM, Lars
                 Oberg<larsoberg...@gmail.com
                 <mailto:larsoberg...@gmail.com>>   wrote:
                     Actually, it does - I tested the RegEx against
                     the email alert, and it
                     matches.  But I tested with PCRE regex.  Is there
                     a different flavor regex I
                     need to use?
                 The OSSEC regex.
                http://www.ossec.net/doc/syntax/regex.html
                     Also, if the regex is not correct, how come the
                     other rule (100201) fires?
                 100201 Deals with the log message: "ossec: Agent
                 started: '785->10.1.3.4'."
                 That log message contains an IP address.
                 100200 deals with the log message: "Mar  4 12:47:55
                 l785 kernel:
                 Kernel log daemon terminating."
                 That log message does not contain an IP address.
                     On 3/4/2011 2:05 PM, dan (ddp) wrote:
                         The log message in 5113 does not appear to
                         contain an IP address:
                         "Mar  4 12:47:55 l785 kernel: Kernel log
                         daemon terminating."
                         A regex for an IP would not match that log
                         message.
                         On Fri, Mar 4, 2011 at 4:57 PM, Lars
                         Oberg<larsoberg...@gmail.com
                         <mailto:larsoberg...@gmail.com>>     wrote:
                             I have a rule for which I cannot seem to
                             disable the email alerts.  Since
                             SrcIp is not decoded for this rule, I am
                             using a regex.  Below is my
                             local_rules.xml file (only 2 rules).  The
                             rule that doesn't fire is
                             100200,
                             but the strange thing is that the rule
                             below it (100201) is firing just
                             fine, use the exact same regex to match
                             on the IP address of the
                             workstation
                             I'm testing on.
                             This is very confusing to me, but I am
                             new to ossec, so I am hopefully
                             just
                             overlooking something simple.
                             Below is also the e-mail notification I
                             am trying to suppress as well as
                             the
                             contents of the alert log.
                             What am I missing?
                             ----- local_rules.xml -----
                             <group name="local,syslog,">
                             <rule id="100200" level="2">
                             <if_sid>5113</if_sid>
                             <regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex>
                             <options>no_email_alert</options>
                             <description>No e-mail alerts for work
                             stations shutting
                             down.</description>
                             </rule>
                             <rule id="100201" level="2">
                             <if_sid>503</if_sid>
                             <regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex>
                             <options>no_email_alert</options>
                             <description>No email alerts when work
                             stations start up.</description>
                             </rule>
                             </group>  <!-- SYSLOG,LOCAL -->
                             ----- Email -----
                             OSSEC HIDS Notification.
                             2011 Mar 04 12:47:56
                             Received From: (785)
                             10.1.3.4->/var/log/messages
                             Rule: 5113 fired (level 7) ->     "System
                             is shutting down."
                             Portion of the log(s):
                             Mar  4 12:47:55 l785 kernel: Kernel log
                             daemon terminating.
                              --END OF NOTIFICATION
                             ----- Alert log (notice that 5113 fires,
                             instead of 100200) -----
                             ** Alert 1299272104.152207: mail  -
                             syslog,linuxkernel,system_shutdown,
                             2011 Mar 04 12:55:04 (785)
                             10.1.3.4->/var/log/messages
                             Rule: 5113 (level 7) ->     'System is
                             shutting down.'
                             Src IP: (none)
                             User: (none)
                             Mar  4 12:55:03 l785 kernel: Kernel log
                             daemon terminating.
                             ** Alert 1299272227.153206: - local,syslog,
                             2011 Mar 04 12:57:07 (785) 10.1.3.4->ossec
                             Rule: 100201 (level 2) ->     'No email
                             alerts when POS stations start up.'
                             Src IP: (none)
                             User: (none)
                             ossec: Agent started: '785->10.1.3.4'.