Re: [ossec-list] How to ignore specific rules

dan (ddp) Tue, 15 Mar 2011 12:11:31 -0700

You're doing it wrong.

Look at the output of the log message in ossec-logtest:
# cd /var/ossec/bin
# ./ossec-logtest
2011/03/15 13:10:31 ossec-testrule: INFO: Reading local decoder file.
2011/03/15 13:10:31 ossec-testrule: INFO: Reading loading the lists
file: 'lists/blocked.txt.cdb'
2011/03/15 13:10:31 ossec-testrule: INFO: Started (pid: 1010).
ossec-testrule: Type one log per line.


Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on subcontainer 'ia_addr'
insert (-1)


**Phase 1: Completed pre-decoding.
      full event: 'Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on
subcontainer 'ia_addr' insert (-1)'
      hostname: 'sebfwint1'
      program_name: 'snmpd'
      log: 'error on subcontainer 'ia_addr' insert (-1)'

**Phase 2: Completed decoding.
      No decoder matched.

**Phase 3: Completed filtering (rules).
      Rule id: '1002'
      Level: '2'
      Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.

The <match> option uses the section labeled "log:" to match against.
snmpd is not in that section, it is the program_name.

If you're trying to ignore all messages coming from snmpd (a silly
thing to do), you'd need to use <program_name>snmpd</program_name>. If
you want to ignore this message specifically, use the program_name and
a <match> statement (based on the log: output above).
HTH,
dan

On Tue, Mar 15, 2011 at 2:55 PM, satish patel <[email protected]> wrote:
> I did following but still not working :(
>
>
>  <rule id="100003" level="0">
>        <if_sid>1002</if_sid>
>        <options>no_email_alert</options>
>        <match>snmpd</match>
>        <description>IGNORED RULE</description>
>  </rule>
>
>
>
>
> On Tue, Mar 15, 2011 at 2:39 PM, Tanishk Lakhaani <[email protected]> 
> wrote:
>> Hi,
>> Set the level to 0 (zero) in local_rules.xml
>>
>>
>> Regards
>> Tanishk Lakhaani
>> Sent from BlackBerry® on Airtel
>>
>> -----Original Message-----
>> From: satish patel <[email protected]>
>> Sender: [email protected]
>> Date: Tue, 15 Mar 2011 10:29:44
>> To: <[email protected]>
>> Reply-To: [email protected]
>> Subject: [ossec-list] How to ignore specific rules
>>
>> I am getting following alert constantly how to ignore it until i fix the 
>> issue ?
>>
>>
>> OSSEC HIDS Notification.
>> 2011 Mar 15 07:18:52
>>
>> Received From: (sebfwint1) 172.24.0.63->/var/log/syslog
>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
>> Portion of the log(s):
>>
>> Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on subcontainer 'ia_addr'
>> insert (-1)
>>
>

Re: [ossec-list] How to ignore specific rules

Reply via email to