Hi, So it turns out that there seems to be an issue with how ^ and $ are interpreted when they're stored in a variable then used in a config file between the <hostname> tags. For example, this works: <var name="WHITELIST">test-01|test-02</var> <rule id="100098” level=“3”> <if_sid>5104</if_sid> <hostname>$WHITELIST</hostname>
<options>no_email_alert</options> <description>Ignore promiscuous alerts for certain hosts</description> <group>linuxkernel,promisc,</group> </rule> </group> But any of the below changes breaks it on the ossec server, but not with ossec-logtest: <var name="WHITELIST">^test-01|^test-02</var> <var name="WHITELIST">test-01$|test-02$</var> <var name="WHITELIST">^test-01$|^test-02$</var> The problem with the working solution is that it will incorrectly match on hosts like test-011, or not-test-02. When I add ^ or $ it parses properly using ossec-logtest, but it doesn't actually work when the log gets processed by the ossec server. Is there any way to know if this is fixed with versions newer than 2.6.0? Jon On Friday, August 21, 2015 at 1:32:03 PM UTC-4, Rafael Farias wrote: > > Hi Jon, > > > You solved the problem of rule? I had the same problem resolved my rule > > <rule id="100003" level="0"> > <if_sid>5104</if_sid> > <hostname>FLOW</hostname> > <match>device eth1 entered promiscuous mode</match> > <description>device entered promiscuous mode</description> > </rule> > > > Em quarta-feira, 12 de agosto de 2015 11:21:16 UTC-3, Jon Zeolla escreveu: >> >> *Example Rule* >> >> <var name="WHITELIST">^test-01$|^test-02$</var> >> >> <group name="local,syslog,"> >> >> <rule id="100099" level="0"> >> >> <if_sid>5104</if_sid> >> >> <hostname>$WHITELIST</hostname> >> >> <options>no_email_alert</options> >> >> <description>Ignore promiscuous alerts for certain hosts</description> >> >> <group>linuxkernel,promisc,</group> >> >> </rule> >> >> </group> >> >> >> >> *Successful test* >> >> # ./ossec-logtest -f >> >> 2015/07/31 10:28:50 ossec-testrule: INFO: Reading local decoder file. >> >> 2015/07/31 10:28:50 ossec-testrule: INFO: Started (pid: 30517). >> >> ossec-testrule: Type one log per line. >> >> >> Jul 31 06:11:23 test-01 kernel: : [*] device eth0 entered promiscuous mode >> >> >> >> **Phase 1: Completed pre-decoding. >> >> full event: 'Jul 31 06:11:23 test-01 kernel: : [*] device eth0 >> entered promiscuous mode' >> >> hostname: ‘test-01' >> >> program_name: 'kernel' >> >> log: ': [*] device eth0 entered promiscuous mode' >> >> >> **Phase 2: Completed decoding. >> >> decoder: 'iptables' >> >> >> **Rule debugging: >> >> Trying rule: 1 - Generic template for all syslog rules. >> >> *Rule 1 matched. >> >> *Trying child rules. >> >> *<snip>* >> >> Trying rule: 5100 - Pre-match rule for kernel messages >> >> *Rule 5100 matched. >> >> *Trying child rules. >> >> *<snip>* >> >> *Rule 5104 matched. >> >> *Trying child rules. >> >> Trying rule: 100099 - Ignore promiscuous alerts for certain hosts >> >> *Rule 100099 matched. >> >> >> **Phase 3: Completed filtering (rules). >> >> Rule id: '100099' >> >> Level: '0' >> >> Description: ‘Ignore promiscuous alerts for certain hosts’ >> >> >> >> >> However, I'm still getting email alerts for these systems which point to >> it evaluating as 5104 only (i.e. 'Rule: 5104 fired (level 8) -> >> "Interface entered in promiscuous(sniffing) mode."'). I've restarted >> the OSSEC server after adding the new rule. Any thoughts? >> >> >> Jon >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
