Hi Jon, You solved the problem of rule? I had the same problem resolved my rule
<rule id="100003" level="0"> <if_sid>5104</if_sid> <hostname>FLOW</hostname> <match>device eth1 entered promiscuous mode</match> <description>device entered promiscuous mode</description> </rule> Em quarta-feira, 12 de agosto de 2015 11:21:16 UTC-3, Jon Zeolla escreveu: > > *Example Rule* > > <var name="WHITELIST">^test-01$|^test-02$</var> > > <group name="local,syslog,"> > > <rule id="100099" level="0"> > > <if_sid>5104</if_sid> > > <hostname>$WHITELIST</hostname> > > <options>no_email_alert</options> > > <description>Ignore promiscuous alerts for certain hosts</description> > > <group>linuxkernel,promisc,</group> > > </rule> > > </group> > > > > *Successful test* > > # ./ossec-logtest -f > > 2015/07/31 10:28:50 ossec-testrule: INFO: Reading local decoder file. > > 2015/07/31 10:28:50 ossec-testrule: INFO: Started (pid: 30517). > > ossec-testrule: Type one log per line. > > > Jul 31 06:11:23 test-01 kernel: : [*] device eth0 entered promiscuous mode > > > > **Phase 1: Completed pre-decoding. > > full event: 'Jul 31 06:11:23 test-01 kernel: : [*] device eth0 > entered promiscuous mode' > > hostname: ‘test-01' > > program_name: 'kernel' > > log: ': [*] device eth0 entered promiscuous mode' > > > **Phase 2: Completed decoding. > > decoder: 'iptables' > > > **Rule debugging: > > Trying rule: 1 - Generic template for all syslog rules. > > *Rule 1 matched. > > *Trying child rules. > > *<snip>* > > Trying rule: 5100 - Pre-match rule for kernel messages > > *Rule 5100 matched. > > *Trying child rules. > > *<snip>* > > *Rule 5104 matched. > > *Trying child rules. > > Trying rule: 100099 - Ignore promiscuous alerts for certain hosts > > *Rule 100099 matched. > > > **Phase 3: Completed filtering (rules). > > Rule id: '100099' > > Level: '0' > > Description: ‘Ignore promiscuous alerts for certain hosts’ > > > > > However, I'm still getting email alerts for these systems which point to > it evaluating as 5104 only (i.e. 'Rule: 5104 fired (level 8) -> > "Interface entered in promiscuous(sniffing) mode."'). I've restarted the > OSSEC server after adding the new rule. Any thoughts? > > > Jon > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
