On Thu, Nov 12, 2015 at 8:37 PM, Santiago Bassett <santiago.bass...@gmail.com> wrote: > Hi Daniel, > > not sure if that matters but is your local rule in the same <group > name="syslog,errors,">, as rule 1002 is? You sure you restarted the manger > right? >
Or are you sure the manager restarted? Most of the time when I've seen this behavior on the list analysisd did not actually stop, so it didn't pickup the new rules. Running `/var/ossec/bin/ossec-control stop`, then verifying all of the processes are stopped is a prudent course of action. > Best > > On Thu, Nov 12, 2015 at 7:06 AM, Daniel Bray <dbray...@gmail.com> wrote: >> >> I'm running ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic repo) >> >> I've updated /var/ossec/rules/local_rules.xml with the following rule: >> >> <rule id="100005" level="0"> >> <if_sid>1002</if_sid> >> <hostname>testserver1|testserver2</hostname> >> <program_name>mip</program_name> >> <regex>HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP >> segment frame</regex> >> <description>Ignore MIP Alerts</description> >> </rule> >> >> >> I've tested the rule with: >> ossec-testrule: Type one log per line. >> >> Nov 12 13:48:50 testserver1 mip: : HAEngine : WARNING : 2 : Replay >> protection check failed >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Nov 12 13:48:50 testserver1 mip: : HAEngine : WARNING >> : 2 : Replay protection check failed ' >> hostname: 'testserver1' >> program_name: 'mip' >> log: ' : HAEngine : WARNING : 2 : Replay protection check >> failed ' >> >> **Phase 2: Completed decoding. >> No decoder matched. >> >> **Phase 3: Completed filtering (rules). >> Rule id: '100007' >> Level: '0' >> Description: 'Ignore MIP Alerts' >> >> >> >> I've restarted everything, but the servers are still generating alerts: >> >> OSSEC HIDS Notification. >> 2015 Nov 12 14:58:37 >> >> Received From: (testserver1) >> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> Portion of the log(s): >> >> Nov 12 14:58:36 testserver1 mip: : HAEngine : WARNING : 2 : Replay >> protection check failed >> >> --END OF NOTIFICATION >> >> >> >> Can anybody shed some light on what's going on, or what I should try next? >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
