On Mon, Feb 9, 2015 at 4:26 AM, Glen Leeder <[email protected]> wrote: > Hi, > > I using ossec 2.8.1 on Ubuntu 14.04 running locally only, no agents. I have > the following local_rules.xml defined to exercise syslog monitoring : > $ sudo more /var/ossec/rules/local_rules.xml > <group name="ossectester,local"> > <rule id="100000" level="5"> > <match>OSSEC-TESTER-RULE</match> > <description>OSSEC Test Alert</description> > </rule> > </group> > > When this rule triggers (by running 'logger "OSSEC-TESTER-RULE"), an active > response is executed due to this ossec.conf: > <command> > <name>post2slack</name> > <executable>ar_slack.sh</executable> > <expect></expect> > <timeout_allowed>no</timeout_allowed> > </command> > > <active-response> > <command>post2slack</command> > <location>local</location> > <level>4</level> > </active-response> > > This works as expected provided I do not populate the command <expect> > field. If I specify <expect>srcip</expect> the alert still triggers, > however, the active response is no longer executed. the syslog entry ends up > as something like: > Feb 9 19:19:53 myhostname gleeder: OSSEC-TESTER-RULE >
There is no IP in this log message to be decoded, so it makes sense that AR won't be triggered if it expects there to be a source ip. > I can't determine from the documentation whether this should work or not. > myhostname resolves to 127.0.0.1 but I haven't got any white_list IPs > specified anyway (my end goal is a to have some white_listing which is why I > specified srcip). > > Is there an implicit white_list default or another reason why specifying > srcip causes the response to no longer execute? > Is <expect>srcip</expect> required for white_list to work? > > Best regards, > Glen > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
