On Wed, Feb 6, 2013 at 10:14 AM, IvarsG <[email protected]> wrote: > Hello, > > I have spent some time trying to eliminate noise from Snort logs (in > particular, two events which are ok on a given server), but without a > success. > Googling, reading manuals and experimenting didn't help much. Even enabling > all debugs in /var/ossec/etc/internal_ > options.conf didn't gave me any obvious clues to solution. > > The problem is, that local rules exactly for Snort events fire very well and > does the intended action only while running ossec-logtest tool. > When the OSSEC service is started normally, the local rule is not fired any > more. > > Could there be a problem with snort log format? In fact, it shouldn't, since > if there were a problem with multiline format of snort alert file, there > wouldn't be any osscec alert from snort file at all. But the point is, that > standard alerts are there - only my custom alert is ignored. > > I tried to do the similar thing with alerts from sshd, and in this case > everything works as expected. > > Two custom rules are as follows: > > <group name="ids,"> > > <rule id="100001" level="4"> > <if_sid>20100,20101</if_sid> > <decoded_as>snort</decoded_as> > <!-- [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY > - [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING > --> > <id>119:15:1|119:16:1</id> > <description>Lower the level for some (http_inspect) > events.</description> > </rule> > > </group> <!-- IDS --> > > <group name="sshd,"> > > <rule id="100099" level="5"> > <if_sid>5710</if_sid> > <decoded_as>sshd</decoded_as> > <description>IVARSG: rule intercepted, works fine!!!!.</description> > </rule> > > </group> <!-- IDS --> > > Rule 100099 fires in both scenario - logtest and when ossec run as service, > however, rule 100001 fires only when tested with logtest (rule while rule > 20101 also fires in both scenarios). > > Could someone please suggest some solution? > > > See attached detailed info as suggested in "How do I troubleshoot ossec?" > section (ip addresses and hostname is modified a little). > > Thanks in advance for your time and help, > Ivars > > -- >
Thanks for including all of that info, it was helpful! This isn't a fix, but it works for me if I use a <match> instead of the id. Still looking into it though. > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
