Yes, all my local rules are under the <group name="local,syslog,"> and yes, I made sure to stop and restart everything.
On Thursday, November 12, 2015 at 8:37:35 PM UTC-5, Santiago Bassett wrote: > > Hi Daniel, > > not sure if that matters but is your local rule in the same <group name= > "syslog,errors,">, as rule 1002 is? You sure you restarted the manger > right? > > Best > > On Thu, Nov 12, 2015 at 7:06 AM, Daniel Bray <[email protected] > <javascript:>> wrote: > >> I'm running ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic repo) >> >> I've updated /var/ossec/rules/local_rules.xml with the following rule: >> >> <rule id="100005" level="0"> >> <if_sid>1002</if_sid> >> <hostname>testserver1|testserver2</hostname> >> <program_name>mip</program_name> >> <regex>HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP >> segment frame</regex> >> <description>Ignore MIP Alerts</description> >> </rule> >> >> >> I've tested the rule with: >> ossec-testrule: Type one log per line. >> >> Nov 12 13:48:50 testserver1 mip: : HAEngine : WARNING : 2 : Replay >> protection check failed >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Nov 12 13:48:50 testserver1 mip: : HAEngine : >> WARNING : 2 : Replay protection check failed ' >> hostname: 'testserver1' >> program_name: 'mip' >> log: ' : HAEngine : WARNING : 2 : Replay protection check >> failed ' >> >> **Phase 2: Completed decoding. >> No decoder matched. >> >> **Phase 3: Completed filtering (rules). >> Rule id: '100007' >> Level: '0' >> Description: 'Ignore MIP Alerts' >> >> >> >> I've restarted everything, but the servers are still generating alerts: >> >> OSSEC HIDS Notification. >> 2015 Nov 12 14:58:37 >> >> Received From: (testserver1) >> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." >> Portion of the log(s): >> >> Nov 12 14:58:36 testserver1 mip: : HAEngine : WARNING : 2 : Replay >> protection check failed >> >> --END OF NOTIFICATION >> >> >> >> Can anybody shed some light on what's going on, or what I should try next? >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
