Hi Lars, Ok so now i know what u need exactly. The thing is the default decoder (iptables decoder in this case-since its a kernel message)does not extract srcip's as u said. But also notice how the alert itself doesnt show an IP address. If the alert doesnt show an IP-address u cant make a regex for an IP address. One thing i noticed in the alerts is the machine name(something like l807) Im assuming every machine has its own IP and so in that case u can do it by machine names and not IP-subnets. Machine name is referred to as hostname in ossec. So u can specify what host shutdowns u wanna see and which ones u dont.
Hope that helps...Ill see if i can make a rule for that.In order to do that i'll have to see if u edited the decoder or not..(so that my rule is coherent) Can u test this alert in a logtest envirnoment and send me the result Basically run ossec-logtest thanks On Tue, 2011-03-08 at 09:41 -0800, Lars Oberg wrote: > Hello Gutsy, > > The problem is how to disable the email alerts for given IP subnets / > ranges - not totally disable the alerts. I have already totally > disabled the alerts since I do not know how to do it by IP subnets. > Please read my original e-mail. > > Lars > > On 3/8/2011 7:32 AM, Gurtaj Singh wrote: > > Hey Lars, > > I just looked into this > > and this is all u need to do(try it and let me know if it works) > > > > <group name="shut"> > > <rule id="700200" level="5"> > > <if_sid>5113</if_sid> > > <description>dont need this</description> > > </rule> > > </group> > > (------put above in ur local_rules.xml file--------------) > > FYI: i suggest that u do this but there is another alternative to > > this(which is sorta pro.xD) > > What u can do is edit the real file where the 5113 rule is(I checked its > > syslog_rules.xml) and make a small little bash script that will do this > > change for u. So, if ever with a new update ur changes to syslog_rules > > gets overwritten u can use the bash script to make that change again. > > this way u can make rules for unknown stuff in local_rules.xml and not > > repeat the stuff already assigned rules. Sounds more efficient but needs > > some scripting. > > > > > > On Mon, 2011-03-07 at 15:28 -0800, Lars Oberg wrote: > >> Ok, great. Yes, it is the "Kernel log daemon terminating" message: > >> > >> This is the alert in the alert.log: > >> ** Alert 1299259678.72480: mail - syslog,linuxkernel,system_shutdown, > >> 2011 Mar 04 09:27:58 (pos-vm) 10.1.1.152->/var/log/messages > >> Rule: 5113 (level 7) -> 'System is shutting down.' > >> Src IP: (none) > >> User: (none) > >> Mar 4 09:27:57 l807 kernel: Kernel log daemon terminating. > >> > >> Here is the email: > >> OSSEC HIDS Notification. > >> 2011 Mar 04 09:27:58 > >> > >> Received From: (pos-vm) 10.1.1.152->/var/log/messages > >> Rule: 5113 fired (level 7) -> "System is shutting down." > >> Portion of the log(s): > >> > >> Mar 4 09:27:57 l807 kernel: Kernel log daemon terminating. > >> > >> > >> > >> --END OF NOTIFICATION > >> > >> Thanks, > >> Lars > >> > >> On 3/7/2011 10:24 AM, gutsy gibbon wrote: > >>> I am pretty sure i can help u with this if u tell me what is the alert > >>> u got...ALL i need is the one line alert...sorry i cant get it from ur > >>> post > >>> i think the line is "Mar 4 12:47:55 l785 kernel: Kernel log daemon > >>> terminating. " > >>> plz confirm > >>> > >>> If the above is the alert--2 things > >>> 1. Since u are using if_sid to check for the rule 5113 being fired I > >>> am sure u dont need a regex > >>> 2. All u need to do is route all 5113 alerts to 100200(or w/e ) > >>> So i suggest trying it with a if_sid , Description, and ur preferred > >>> rule level only > >>> Dont use regular expressions > >>> Let me know if i helped > >>> > >>> > >>> On Mar 4, 7:46 pm, Lars Oberg<[email protected]> wrote: > >>>> The host names are fixed, and I cannot change them. Yes, maybe someone > >>>> else will chime in with a solution... > >>>> > >>>> On 3/4/2011 4:39 PM, Jeremy Lee wrote: > >>>> > >>>>> There might be another way... I'm sure someone will chime in if they > >>>>> have an idea. I just can't think of anything else off the top of my > >>>>> head. If anything, there would have to be a way to grab it via the > >>>>> decoder. Actually, you might be able to use<regex> if you type in the > >>>>> actual hostname<regex>785</regex> - this wouldn't be much different > >>>>> than<hostname> however. Unless you add a common prefix to all your > >>>>> servers like "POS785" etc. Then maybe you could use a regex rule to > >>>>> filter based on<regex>POS*</regex> or something like that. My regex > >>>>> is off but you get the idea. > >>>>> On Fri, Mar 4, 2011 at 4:20 PM, Lars Oberg<[email protected] > >>>>> <mailto:[email protected]>> wrote: > >>>>> That's too bad. Maintaining that rule with about 100 hosts names > >>>>> will be too much work to be feasible, so I don't think I have a > >>>>> choice but to ignore the rule altogether. > >>>>> At least I don't have to keep banging my head on this problem > >>>>> anymore. > >>>>> Thanks for your help. > >>>>> Lars > >>>>> On 3/4/2011 3:44 PM, Jeremy Lee wrote: > >>>>>> If you need to enter multiple hostnames, the delimiter is "|" > >>>>>> Let us know what you find. > >>>>>> On Fri, Mar 4, 2011 at 3:39 PM, Jeremy Lee<[email protected] > >>>>>> <mailto:[email protected]>> wrote: > >>>>>> Not sure what you would modify in decoder.xml to get the > >>>>>> 5100/5113 rules to pickup source IP... Because it seems like > >>>>>> the 5100 base rule is not relying on a decoder but rather > >>>>>> program_name - in this case "^kernel" > >>>>>> In this scenario, I *think* you may need to utilize > >>>>>> <hostname> (what I had suggested in your other thread). The > >>>>>> drawback is that you'll have to add a long list of > >>>>>> hostnames... because I'm assuming this is for all those Linux > >>>>>> boxes you're monitoring, right? > >>>>>> I'm not sure if you can use regex in the<hostname> attribute > >>>>>> but it's not difficult to test. Especially with ossec-logtest. > >>>>>> On Fri, Mar 4, 2011 at 3:24 PM, Lars Oberg > >>>>>> <[email protected]<mailto:[email protected]>> > >>>>>> wrote: > >>>>>> Hi Dan, > >>>>>> Thanks for clarifying that. If I understand you > >>>>>> correctly: even though the alert log shows the IP > >>>>>> address, I cannot match on it using RegEx since it is not > >>>>>> part of the actual message body from syslog. > >>>>>> Is there another way to suppress these e-mails, or do I > >>>>>> have to mess with the decoder, so that it decodes the > >>>>>> source IP? > >>>>>> Lars > >>>>>> On 3/4/2011 2:59 PM, dan (ddp) wrote: > >>>>>> Hi Lars, > >>>>>> On Fri, Mar 4, 2011 at 5:54 PM, Lars > >>>>>> Oberg<[email protected] > >>>>>> <mailto:[email protected]>> wrote: > >>>>>> Actually, it does - I tested the RegEx against > >>>>>> the email alert, and it > >>>>>> matches. But I tested with PCRE regex. Is there > >>>>>> a different flavor regex I > >>>>>> need to use? > >>>>>> The OSSEC regex. > >>>>>> http://www.ossec.net/doc/syntax/regex.html > >>>>>> Also, if the regex is not correct, how come the > >>>>>> other rule (100201) fires? > >>>>>> 100201 Deals with the log message: "ossec: Agent > >>>>>> started: '785->10.1.3.4'." > >>>>>> That log message contains an IP address. > >>>>>> 100200 deals with the log message: "Mar 4 12:47:55 > >>>>>> l785 kernel: > >>>>>> Kernel log daemon terminating." > >>>>>> That log message does not contain an IP address. > >>>>>> On 3/4/2011 2:05 PM, dan (ddp) wrote: > >>>>>> The log message in 5113 does not appear to > >>>>>> contain an IP address: > >>>>>> "Mar 4 12:47:55 l785 kernel: Kernel log > >>>>>> daemon terminating." > >>>>>> A regex for an IP would not match that log > >>>>>> message. > >>>>>> On Fri, Mar 4, 2011 at 4:57 PM, Lars > >>>>>> Oberg<[email protected] > >>>>>> <mailto:[email protected]>> wrote: > >>>>>> I have a rule for which I cannot seem to > >>>>>> disable the email alerts. Since > >>>>>> SrcIp is not decoded for this rule, I am > >>>>>> using a regex. Below is my > >>>>>> local_rules.xml file (only 2 rules). The > >>>>>> rule that doesn't fire is > >>>>>> 100200, > >>>>>> but the strange thing is that the rule > >>>>>> below it (100201) is firing just > >>>>>> fine, use the exact same regex to match > >>>>>> on the IP address of the > >>>>>> workstation > >>>>>> I'm testing on. > >>>>>> This is very confusing to me, but I am > >>>>>> new to ossec, so I am hopefully > >>>>>> just > >>>>>> overlooking something simple. > >>>>>> Below is also the e-mail notification I > >>>>>> am trying to suppress as well as > >>>>>> the > >>>>>> contents of the alert log. > >>>>>> What am I missing? > >>>>>> ----- local_rules.xml ----- > >>>>>> <group name="local,syslog,"> > >>>>>> <rule id="100200" level="2"> > >>>>>> <if_sid>5113</if_sid> > >>>>>> > >>>>>> <regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex> > >>>>>> <options>no_email_alert</options> > >>>>>> <description>No e-mail alerts for work > >>>>>> stations shutting > >>>>>> down.</description> > >>>>>> </rule> > >>>>>> <rule id="100201" level="2"> > >>>>>> <if_sid>503</if_sid> > >>>>>> > >>>>>> <regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex> > >>>>>> <options>no_email_alert</options> > >>>>>> <description>No email alerts when work > >>>>>> stations start up.</description> > >>>>>> </rule> > >>>>>> </group> <!-- SYSLOG,LOCAL --> > >>>>>> ----- Email ----- > >>>>>> OSSEC HIDS Notification. > >>>>>> 2011 Mar 04 12:47:56 > >>>>>> Received From: (785) > >>>>>> 10.1.3.4->/var/log/messages > >>>>>> Rule: 5113 fired (level 7) -> "System > >>>>>> is shutting down." > >>>>>> Portion of the log(s): > >>>>>> Mar 4 12:47:55 l785 kernel: Kernel log > >>>>>> daemon terminating. > >>>>>> --END OF NOTIFICATION > >>>>>> ----- Alert log (notice that 5113 fires, > >>>>>> instead of 100200) ----- > >>>>>> ** Alert 1299272104.152207: mail - > >>>>>> syslog,linuxkernel,system_shutdown, > >>>>>> 2011 Mar 04 12:55:04 (785) > >>>>>> 10.1.3.4->/var/log/messages > >>>>>> Rule: 5113 (level 7) -> 'System is > >>>>>> shutting down.' > >>>>>> Src IP: (none) > >>>>>> User: (none) > >>>>>> Mar 4 12:55:03 l785 kernel: Kernel log > >>>>>> daemon terminating. > >>>>>> ** Alert 1299272227.153206: - > >>>>>> local,syslog, > >>>>>> 2011 Mar 04 12:57:07 (785) 10.1.3.4->ossec > >>>>>> Rule: 100201 (level 2) -> 'No email > >>>>>> alerts when POS stations start up.' > >>>>>> Src IP: (none) > >>>>>> User: (none) > >>>>>> ossec: Agent started: '785->10.1.3.4'. > > >
