Re: [ossec-list] ossec-logtest returns Level 0 but still getting email alerts Level 2

Tue, 01 Dec 2015 09:16:00 -0800 

On Tuesday, December 1, 2015 at 9:38:30 AM UTC-5, Daniel Bray wrote:
>
> On Mon, Nov 30, 2015 at 5:28 PM, Ryan Schulze  wrote:
>
>>
>> Is this the only rule in your local_rules.xml that isn't working, or are 
>> all rules in your local_rules.xml not working?
>>
>>
> So far, this is the only rule that I just can't seem to stop emailing. I 
> have other rules, and when I check them against ossec-logtest, they come 
> back as "Level: 0", which I've correctly configured. I wait, and no email 
> alerts come in, which is the expected behavior. In fact, I have about 12 
> rules filtering out various known issues. It's just this one that will not 
> stop emailing, and wouldn't you know it, it is rather a common "alert" that 
> comes in a few hundred times a day. 
>
>

Spoke too soon. I've found another rule that is not working (new rule, just 
enabled today):
  <rule id="100013" level="0">
    <hostname>10.10.10.10</hostname>
    <regex>decrypt: mac verify failed for connection|decrypt: replay check 
failed</regex>
    <description>Ignore mac verify and replay check alerts</description>
  </rule>

Here is the test log entry:

Dec  1 17:09:28 10.10.10.10 46508: *Dec  1 17:12:31.321: 
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection 
id=4705 spi=F1D214CD seqno=F1D214CD

ossec-logtest shows:
**Phase 1: Completed pre-decoding.
       full event: 'Dec  1 17:09:28 10.10.10.10 46508: *Dec  1 
17:12:31.321: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for 
connection id=4705 spi=F1D214CD seqno=F1D214CD'
       hostname: '10.10.10.10'
       program_name: '46508'
       log: '*Dec  1 17:12:31.321: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: 
mac verify failed for connection id=4705 spi=F1D214CD seqno=F1D214CD'

**Phase 2: Completed decoding.
       No decoder matched.

**Phase 3: Completed filtering (rules).
       Rule id: '100013'
       Level: '0'
       Description: 'Ignore mac verify and replay check alerts'


However, the emails are still getting generated with:

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

Portion of the log(s):

 

Dec  1 17:09:28 10.10.10.10 46508: *Dec  1 17:12:31.321: 
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection 
id=4705 spi=F1D214CD seqno=F1D214CD
 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to