*Example Rule*
<var name="WHITELIST">^test-01$|^test-02$</var>
<group name="local,syslog,">
<rule id="100099" level="0">
<if_sid>5104</if_sid>
<hostname>$WHITELIST</hostname>
<options>no_email_alert</options>
<description>Ignore promiscuous alerts for certain hosts</description>
<group>linuxkernel,promisc,</group>
</rule>
</group>
*Successful test*
# ./ossec-logtest -f
2015/07/31 10:28:50 ossec-testrule: INFO: Reading local decoder file.
2015/07/31 10:28:50 ossec-testrule: INFO: Started (pid: 30517).
ossec-testrule: Type one log per line.
Jul 31 06:11:23 test-01 kernel: : [*] device eth0 entered promiscuous mode
**Phase 1: Completed pre-decoding.
full event: 'Jul 31 06:11:23 test-01 kernel: : [*] device eth0
entered promiscuous mode'
hostname: ‘test-01'
program_name: 'kernel'
log: ': [*] device eth0 entered promiscuous mode'
**Phase 2: Completed decoding.
decoder: 'iptables'
**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
*<snip>*
Trying rule: 5100 - Pre-match rule for kernel messages
*Rule 5100 matched.
*Trying child rules.
*<snip>*
*Rule 5104 matched.
*Trying child rules.
Trying rule: 100099 - Ignore promiscuous alerts for certain hosts
*Rule 100099 matched.
**Phase 3: Completed filtering (rules).
Rule id: '100099'
Level: '0'
Description: ‘Ignore promiscuous alerts for certain hosts’
However, I'm still getting email alerts for these systems which point to it
evaluating as 5104 only (i.e. 'Rule: 5104 fired (level 8) -> "Interface
entered in promiscuous(sniffing) mode."'). I've restarted the OSSEC server
after adding the new rule. Any thoughts?
Jon
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
