On Wed, Aug 12, 2015 at 9:30 AM, Jon Zeolla <[email protected]> wrote: > Example Rule > > <var name="WHITELIST">^test-01$|^test-02$</var> > > <group name="local,syslog,"> > > <rule id="100099" level="0"> > > <if_sid>5104</if_sid> > > <hostname>$WHITELIST</hostname> > > <options>no_email_alert</options> > > <description>Ignore promiscuous alerts for certain hosts</description> > > <group>linuxkernel,promisc,</group> > > </rule> > > </group> > > > > Successful test > > # ./ossec-logtest -f > > 2015/07/31 10:28:50 ossec-testrule: INFO: Reading local decoder file. > > 2015/07/31 10:28:50 ossec-testrule: INFO: Started (pid: 30517). > > ossec-testrule: Type one log per line. > > > Jul 31 06:11:23 test-01 kernel: : [*] device eth0 entered promiscuous mode > > > > **Phase 1: Completed pre-decoding. > > full event: 'Jul 31 06:11:23 test-01 kernel: : [*] device eth0 > entered promiscuous mode' > > hostname: ‘test-01' > > program_name: 'kernel' > > log: ': [*] device eth0 entered promiscuous mode' > > > **Phase 2: Completed decoding. > > decoder: 'iptables' > > > **Rule debugging: > > Trying rule: 1 - Generic template for all syslog rules. > > *Rule 1 matched. > > *Trying child rules. > > <snip> > > Trying rule: 5100 - Pre-match rule for kernel messages > > *Rule 5100 matched. > > *Trying child rules. > > <snip> > > *Rule 5104 matched. > > *Trying child rules. > > Trying rule: 100099 - Ignore promiscuous alerts for certain hosts > > *Rule 100099 matched. > > > **Phase 3: Completed filtering (rules). > > Rule id: '100099' > > Level: '0' > > Description: ‘Ignore promiscuous alerts for certain hosts’ > > > > > However, I'm still getting email alerts for these systems which point to it > evaluating as 5104 only (i.e. 'Rule: 5104 fired (level 8) -> "Interface > entered in promiscuous(sniffing) mode."'). I've restarted the OSSEC server > after adding the new rule. Any thoughts? > >
Try stopping the processes and making sure analysisd actually stops. This has been an issue in the past. Also, try creating 2 rules, one for each system to see if that works. > Jon > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
