Lars, If the list of hostnames doesn't change often and is pretty static, the most immediate option is just to add them to the rule using <hostname> or what not.
Shouldn't be too hard to create a list of hostnames in "piped" format, i.e. "host1|host2|host3|host4" - especially if they are ordered. Just write up a perl/bash/python script to increment and print the pipe. Of course, that's assuming the hosts are numbered in order. It probably wouldn't hurt to keep a maintained list/inventory anyway :) On Tue, Mar 8, 2011 at 10:01 AM, Gurtaj Singh <[email protected]>wrote: > Hi Lars, > Ok so now i know what u need exactly. The thing is the default decoder > (iptables decoder in this case-since its a kernel message)does not > extract srcip's as u said. > But also notice how the alert itself doesnt show an IP address. > If the alert doesnt show an IP-address u cant make a regex for an IP > address. One thing i noticed in the alerts is the machine name(something > like l807) Im assuming every machine has its own IP and so in that case > u can do it by machine names and not IP-subnets. Machine name is > referred to as hostname in ossec. > So u can specify what host shutdowns u wanna see and which ones u dont. > > Hope that helps...Ill see if i can make a rule for that.In order to do > that i'll have to see if u edited the decoder or not..(so that my rule > is coherent) > Can u test this alert in a logtest envirnoment and send me the result > Basically run ossec-logtest > thanks > > On Tue, 2011-03-08 at 09:41 -0800, Lars Oberg wrote: > > Hello Gutsy, > > > > The problem is how to disable the email alerts for given IP subnets / > > ranges - not totally disable the alerts. I have already totally > > disabled the alerts since I do not know how to do it by IP subnets. > > Please read my original e-mail. > > > > Lars > > > > On 3/8/2011 7:32 AM, Gurtaj Singh wrote: > > > Hey Lars, > > > I just looked into this > > > and this is all u need to do(try it and let me know if it works) > > > > > > <group name="shut"> > > > <rule id="700200" level="5"> > > > <if_sid>5113</if_sid> > > > <description>dont need this</description> > > > </rule> > > > </group> > > > (------put above in ur local_rules.xml file--------------) > > > FYI: i suggest that u do this but there is another alternative to > > > this(which is sorta pro.xD) > > > What u can do is edit the real file where the 5113 rule is(I checked > its > > > syslog_rules.xml) and make a small little bash script that will do this > > > change for u. So, if ever with a new update ur changes to syslog_rules > > > gets overwritten u can use the bash script to make that change again. > > > this way u can make rules for unknown stuff in local_rules.xml and not > > > repeat the stuff already assigned rules. Sounds more efficient but > needs > > > some scripting. > > > > > > > > > On Mon, 2011-03-07 at 15:28 -0800, Lars Oberg wrote: > > >> Ok, great. Yes, it is the "Kernel log daemon terminating" message: > > >> > > >> This is the alert in the alert.log: > > >> ** Alert 1299259678.72480: mail - syslog,linuxkernel,system_shutdown, > > >> 2011 Mar 04 09:27:58 (pos-vm) 10.1.1.152->/var/log/messages > > >> Rule: 5113 (level 7) -> 'System is shutting down.' > > >> Src IP: (none) > > >> User: (none) > > >> Mar 4 09:27:57 l807 kernel: Kernel log daemon terminating. > > >> > > >> Here is the email: > > >> OSSEC HIDS Notification. > > >> 2011 Mar 04 09:27:58 > > >> > > >> Received From: (pos-vm) 10.1.1.152->/var/log/messages > > >> Rule: 5113 fired (level 7) -> "System is shutting down." > > >> Portion of the log(s): > > >> > > >> Mar 4 09:27:57 l807 kernel: Kernel log daemon terminating. > > >> > > >> > > >> > > >> --END OF NOTIFICATION > > >> > > >> Thanks, > > >> Lars > > >> > > >> On 3/7/2011 10:24 AM, gutsy gibbon wrote: > > >>> I am pretty sure i can help u with this if u tell me what is the > alert > > >>> u got...ALL i need is the one line alert...sorry i cant get it from > ur > > >>> post > > >>> i think the line is "Mar 4 12:47:55 l785 kernel: Kernel log daemon > > >>> terminating. " > > >>> plz confirm > > >>> > > >>> If the above is the alert--2 things > > >>> 1. Since u are using if_sid to check for the rule 5113 being fired I > > >>> am sure u dont need a regex > > >>> 2. All u need to do is route all 5113 alerts to 100200(or w/e ) > > >>> So i suggest trying it with a if_sid , Description, and ur preferred > > >>> rule level only > > >>> Dont use regular expressions > > >>> Let me know if i helped > > >>> > > >>> > > >>> On Mar 4, 7:46 pm, Lars Oberg<[email protected]> wrote: > > >>>> The host names are fixed, and I cannot change them. Yes, maybe > someone > > >>>> else will chime in with a solution... > > >>>> > > >>>> On 3/4/2011 4:39 PM, Jeremy Lee wrote: > > >>>> > > >>>>> There might be another way... I'm sure someone will chime in if > they > > >>>>> have an idea. I just can't think of anything else off the top of my > > >>>>> head. If anything, there would have to be a way to grab it via the > > >>>>> decoder. Actually, you might be able to use<regex> if you type in > the > > >>>>> actual hostname<regex>785</regex> - this wouldn't be much > different > > >>>>> than<hostname> however. Unless you add a common prefix to all your > > >>>>> servers like "POS785" etc. Then maybe you could use a regex rule to > > >>>>> filter based on<regex>POS*</regex> or something like that. My > regex > > >>>>> is off but you get the idea. > > >>>>> On Fri, Mar 4, 2011 at 4:20 PM, Lars Oberg<[email protected] > > >>>>> <mailto:[email protected]>> wrote: > > >>>>> That's too bad. Maintaining that rule with about 100 hosts > names > > >>>>> will be too much work to be feasible, so I don't think I have > a > > >>>>> choice but to ignore the rule altogether. > > >>>>> At least I don't have to keep banging my head on this problem > > >>>>> anymore. > > >>>>> Thanks for your help. > > >>>>> Lars > > >>>>> On 3/4/2011 3:44 PM, Jeremy Lee wrote: > > >>>>>> If you need to enter multiple hostnames, the delimiter is "|" > > >>>>>> Let us know what you find. > > >>>>>> On Fri, Mar 4, 2011 at 3:39 PM, Jeremy Lee<[email protected] > > >>>>>> <mailto:[email protected]>> wrote: > > >>>>>> Not sure what you would modify in decoder.xml to get the > > >>>>>> 5100/5113 rules to pickup source IP... Because it seems > like > > >>>>>> the 5100 base rule is not relying on a decoder but rather > > >>>>>> program_name - in this case "^kernel" > > >>>>>> In this scenario, I *think* you may need to utilize > > >>>>>> <hostname> (what I had suggested in your other thread). > The > > >>>>>> drawback is that you'll have to add a long list of > > >>>>>> hostnames... because I'm assuming this is for all those > Linux > > >>>>>> boxes you're monitoring, right? > > >>>>>> I'm not sure if you can use regex in the<hostname> > attribute > > >>>>>> but it's not difficult to test. Especially with > ossec-logtest. > > >>>>>> On Fri, Mar 4, 2011 at 3:24 PM, Lars Oberg > > >>>>>> <[email protected]<mailto:[email protected]>> > wrote: > > >>>>>> Hi Dan, > > >>>>>> Thanks for clarifying that. If I understand you > > >>>>>> correctly: even though the alert log shows the IP > > >>>>>> address, I cannot match on it using RegEx since it is > not > > >>>>>> part of the actual message body from syslog. > > >>>>>> Is there another way to suppress these e-mails, or do > I > > >>>>>> have to mess with the decoder, so that it decodes the > > >>>>>> source IP? > > >>>>>> Lars > > >>>>>> On 3/4/2011 2:59 PM, dan (ddp) wrote: > > >>>>>> Hi Lars, > > >>>>>> On Fri, Mar 4, 2011 at 5:54 PM, Lars > > >>>>>> Oberg<[email protected] > > >>>>>> <mailto:[email protected]>> wrote: > > >>>>>> Actually, it does - I tested the RegEx > against > > >>>>>> the email alert, and it > > >>>>>> matches. But I tested with PCRE regex. Is > there > > >>>>>> a different flavor regex I > > >>>>>> need to use? > > >>>>>> The OSSEC regex. > > >>>>>> http://www.ossec.net/doc/syntax/regex.html > > >>>>>> Also, if the regex is not correct, how come > the > > >>>>>> other rule (100201) fires? > > >>>>>> 100201 Deals with the log message: "ossec: Agent > > >>>>>> started: '785->10.1.3.4'." > > >>>>>> That log message contains an IP address. > > >>>>>> 100200 deals with the log message: "Mar 4 > 12:47:55 > > >>>>>> l785 kernel: > > >>>>>> Kernel log daemon terminating." > > >>>>>> That log message does not contain an IP address. > > >>>>>> On 3/4/2011 2:05 PM, dan (ddp) wrote: > > >>>>>> The log message in 5113 does not appear > to > > >>>>>> contain an IP address: > > >>>>>> "Mar 4 12:47:55 l785 kernel: Kernel log > > >>>>>> daemon terminating." > > >>>>>> A regex for an IP would not match that > log > > >>>>>> message. > > >>>>>> On Fri, Mar 4, 2011 at 4:57 PM, Lars > > >>>>>> Oberg<[email protected] > > >>>>>> <mailto:[email protected]>> > wrote: > > >>>>>> I have a rule for which I cannot seem > to > > >>>>>> disable the email alerts. Since > > >>>>>> SrcIp is not decoded for this rule, I > am > > >>>>>> using a regex. Below is my > > >>>>>> local_rules.xml file (only 2 rules). > The > > >>>>>> rule that doesn't fire is > > >>>>>> 100200, > > >>>>>> but the strange thing is that the > rule > > >>>>>> below it (100201) is firing just > > >>>>>> fine, use the exact same regex to > match > > >>>>>> on the IP address of the > > >>>>>> workstation > > >>>>>> I'm testing on. > > >>>>>> This is very confusing to me, but I > am > > >>>>>> new to ossec, so I am hopefully > > >>>>>> just > > >>>>>> overlooking something simple. > > >>>>>> Below is also the e-mail notification > I > > >>>>>> am trying to suppress as well as > > >>>>>> the > > >>>>>> contents of the alert log. > > >>>>>> What am I missing? > > >>>>>> ----- local_rules.xml ----- > > >>>>>> <group name="local,syslog,"> > > >>>>>> <rule id="100200" level="2"> > > >>>>>> <if_sid>5113</if_sid> > > >>>>>> > <regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex> > > >>>>>> <options>no_email_alert</options> > > >>>>>> <description>No e-mail alerts for > work > > >>>>>> stations shutting > > >>>>>> down.</description> > > >>>>>> </rule> > > >>>>>> <rule id="100201" level="2"> > > >>>>>> <if_sid>503</if_sid> > > >>>>>> > <regex>(10\.\d*\.3\.\d*)|(10.1.1.152)</regex> > > >>>>>> <options>no_email_alert</options> > > >>>>>> <description>No email alerts when > work > > >>>>>> stations start up.</description> > > >>>>>> </rule> > > >>>>>> </group> <!-- SYSLOG,LOCAL --> > > >>>>>> ----- Email ----- > > >>>>>> OSSEC HIDS Notification. > > >>>>>> 2011 Mar 04 12:47:56 > > >>>>>> Received From: (785) > > >>>>>> 10.1.3.4->/var/log/messages > > >>>>>> Rule: 5113 fired (level 7) -> > "System > > >>>>>> is shutting down." > > >>>>>> Portion of the log(s): > > >>>>>> Mar 4 12:47:55 l785 kernel: Kernel > log > > >>>>>> daemon terminating. > > >>>>>> --END OF NOTIFICATION > > >>>>>> ----- Alert log (notice that 5113 > fires, > > >>>>>> instead of 100200) ----- > > >>>>>> ** Alert 1299272104.152207: mail - > > >>>>>> syslog,linuxkernel,system_shutdown, > > >>>>>> 2011 Mar 04 12:55:04 (785) > > >>>>>> 10.1.3.4->/var/log/messages > > >>>>>> Rule: 5113 (level 7) -> 'System > is > > >>>>>> shutting down.' > > >>>>>> Src IP: (none) > > >>>>>> User: (none) > > >>>>>> Mar 4 12:55:03 l785 kernel: Kernel > log > > >>>>>> daemon terminating. > > >>>>>> ** Alert 1299272227.153206: - > local,syslog, > > >>>>>> 2011 Mar 04 12:57:07 (785) > 10.1.3.4->ossec > > >>>>>> Rule: 100201 (level 2) -> 'No > email > > >>>>>> alerts when POS stations start up.' > > >>>>>> Src IP: (none) > > >>>>>> User: (none) > > >>>>>> ossec: Agent started: > '785->10.1.3.4'. > > > > > > > >
