Sorry about that, it is just a simple typo. I didn't want to copy&paste the
actual rule, as it had some semi-private information in it. I copied and
pasted my actual rule 100005 to a test rule 100007, so please just ignore
that. Here is the actual updated test rule I'm trying:
<rule id="100007" level="0">
<if_sid>1002</if_sid>
<hostname>testserver</hostname>
<program_name>mip</program_name>
<regex>HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP
segment frame</regex>
<description>Ignore MIP Alerts</description>
</rule>
Here is the current log entry I'm testing:
Nov 13 16:07:17 testserver mip: : HAEngine : WARNING : 2 : Replay
protection check failed
And here is the current results:
**Phase 1: Completed pre-decoding.
full event: 'Nov 13 16:07:17 testserver mip: : HAEngine : WARNING
: 2 : Replay protection check failed'
hostname: 'testserver'
program_name: 'mip'
log: ' : HAEngine : WARNING : 2 : Replay protection check
failed'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '100007'
Level: '0'
Description: 'Ignore MIP Alerts'
However, the email alerts are still coming in. I'm trying to start some of
this up in debug mode, so I can gather further information.
On Fri, Nov 13, 2015 at 11:27 AM, dan (ddp) <[email protected]> wrote:
> On Fri, Nov 13, 2015 at 11:16 AM, Pedro S. <[email protected]> wrote:
> > My confusion was the rule he wrote here has SID 100005 and the logtest
> > result has SID 100007, sorry about that.
> >
>
> You're right, I totally missed that. Now I'm wondering what 100007 is.
>
> > Still i'll try to create a generic rule to make sure OSSEC is loading new
> > rules.
> >
> > Anyways if Dan already has tested it, the rule is working, it should be
> your
> > OSSEC is not loading the rule properly.
> >
> >
> > El viernes, 13 de noviembre de 2015, 8:04:05 (UTC-8), dan (ddpbsd)
> escribió:
> >>
> >> On Fri, Nov 13, 2015 at 10:59 AM, Pedro S. <[email protected]> wrote:
> >> > Hi Daniel,
> >> >
> >> > The alerts you changed to level 0 it isn't the same that you write
> some
> >> > lines before, isn't it?
> >> > You turn to 0 rule SID 100005 but the alert you show us has SID 1002.
> >> >
> >>
> >> The log message used in the ossec-logtest example matches the log
> >> message that is in the alert. The problem is that ossec-logtest shows
> >> that the log message should match rule 100005, but ossec-analysisd is
> >> matching the log message to 1002.
> >>
> >>
> >> > For testing purposes try to deactivate (change to level 0) rule 1002
> and
> >> > check if it is still generating these alerts.
> >> >
> >>
> >> Don't do this. There's no reason to change that to 0. Even for
> >> testing. I've been using OSSEC for a little while now, and I don't
> >> think that would have ever helped with anything.
> >>
> >> >
> >> >
> >> >
> >> >
> >> > El viernes, 13 de noviembre de 2015, 7:44:37 (UTC-8), Daniel Bray
> >> > escribió:
> >> >>
> >> >> On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray wrote:
> >> >>>>
> >> >>>> I'm waiting to see if it generates an alert.
> >> >>>
> >> >>>
> >> >>
> >> >>
> >> >> Nope, issue remains. Very confusing.
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/uXdwCE64oRU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
