Hi, I have just checked on my server and yes - <match> instead of <id> works fine for me, too. Thanks for your help!
Ivars On Wednesday, February 6, 2013 5:43:58 PM UTC+2, dan (ddpbsd) wrote: > > On Wed, Feb 6, 2013 at 10:14 AM, IvarsG <[email protected] <javascript:>> > wrote: > > Hello, > > > > I have spent some time trying to eliminate noise from Snort logs (in > > particular, two events which are ok on a given server), but without a > > success. > > Googling, reading manuals and experimenting didn't help much. Even > enabling > > all debugs in /var/ossec/etc/internal_ > > options.conf didn't gave me any obvious clues to solution. > > > > The problem is, that local rules exactly for Snort events fire very well > and > > does the intended action only while running ossec-logtest tool. > > When the OSSEC service is started normally, the local rule is not fired > any > > more. > > > > Could there be a problem with snort log format? In fact, it shouldn't, > since > > if there were a problem with multiline format of snort alert file, there > > wouldn't be any osscec alert from snort file at all. But the point is, > that > > standard alerts are there - only my custom alert is ignored. > > > > I tried to do the similar thing with alerts from sshd, and in this case > > everything works as expected. > > > > Two custom rules are as follows: > > > > <group name="ids,"> > > > > <rule id="100001" level="4"> > > <if_sid>20100,20101</if_sid> > > <decoded_as>snort</decoded_as> > > <!-- [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY > > - [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING > > --> > > <id>119:15:1|119:16:1</id> > > <description>Lower the level for some (http_inspect) > > events.</description> > > </rule> > > > > </group> <!-- IDS --> > > > > <group name="sshd,"> > > > > <rule id="100099" level="5"> > > <if_sid>5710</if_sid> > > <decoded_as>sshd</decoded_as> > > <description>IVARSG: rule intercepted, works fine!!!!.</description> > > </rule> > > > > </group> <!-- IDS --> > > > > Rule 100099 fires in both scenario - logtest and when ossec run as > service, > > however, rule 100001 fires only when tested with logtest (rule while > rule > > 20101 also fires in both scenarios). > > > > Could someone please suggest some solution? > > > > > > See attached detailed info as suggested in "How do I troubleshoot > ossec?" > > section (ip addresses and hostname is modified a little). > > > > Thanks in advance for your time and help, > > Ivars > > > > -- > > > > Thanks for including all of that info, it was helpful! > > This isn't a fix, but it works for me if I use a <match> instead of > the id. Still looking into it though. > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
