I'm running ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic repo)
I've updated /var/ossec/rules/local_rules.xml with the following rule:
<rule id="100005" level="0">
<if_sid>1002</if_sid>
<hostname>testserver1|testserver2</hostname>
<program_name>mip</program_name>
<regex>HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP
segment frame</regex>
<description>Ignore MIP Alerts</description>
</rule>
I've tested the rule with:
ossec-testrule: Type one log per line.
Nov 12 13:48:50 testserver1 mip: : HAEngine : WARNING : 2 : Replay
protection check failed
**Phase 1: Completed pre-decoding.
full event: 'Nov 12 13:48:50 testserver1 mip: : HAEngine : WARNING
: 2 : Replay protection check failed '
hostname: 'testserver1'
program_name: 'mip'
log: ' : HAEngine : WARNING : 2 : Replay protection check
failed '
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '100007'
Level: '0'
Description: 'Ignore MIP Alerts'
I've restarted everything, but the servers are still generating alerts:
OSSEC HIDS Notification.
2015 Nov 12 14:58:37
Received From: (testserver1)
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Nov 12 14:58:36 testserver1 mip: : HAEngine : WARNING : 2 : Replay
protection check failed
--END OF NOTIFICATION
Can anybody shed some light on what's going on, or what I should try next?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
