I'm trying to filter out the promiscuous alerts other than eth0/1 basically. I setup a rule to match device eth0 and a rule to ignore others, however logtest always defaults to the rule 120002 with level 0. What's the best way to filter these logs? I tested some regex in the 3rd rule, but my regex foo is weak.
<rule id="120001" level="8"> <if_sid>5100, 5104</if_sid> <options>alert_by_email/options> <match>device eth0</match> <description>Interface entered in promiscuous(sniffing) mode.</description> <group>promisc,</group> </rule> <rule id="120002" level="0"> <if_sid>5100, 5104</if_sid> <options>no_email_alert</options> <description>Interface entered in promiscuous(sniffing) mode.</description> <group>promisc,</group> </rule> <rule id="120003" level="8"> <if_sid>5100, 5104</if_sid> <options>alert_by_email</options> <regex>eth[0-10]</regex> <description>Interface entered in promiscuous(sniffing) mode.</description> <group>promisc,</group> </rule> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
