On Jan 8, 2016 7:12 PM, "BM" <[email protected]> wrote: > > I'm trying to filter out the promiscuous alerts other than eth0/1 basically. I setup a rule to match device eth0 and a rule to ignore others, however logtest always defaults to the rule 120002 with level 0. What's the best way to filter these logs? I tested some regex in the 3rd rule, but my regex foo is weak. > > <rule id="120001" level="8"> > <if_sid>5100, 5104</if_sid> > <options>alert_by_email/options> > <match>device eth0</match> > <description>Interface entered in promiscuous(sniffing) mode.</description> > <group>promisc,</group> > </rule> > > <rule id="120002" level="0"> > <if_sid>5100, 5104</if_sid> > <options>no_email_alert</options> > <description>Interface entered in promiscuous(sniffing) mode.</description> > <group>promisc,</group> > </rule> > > <rule id="120003" level="8"> > <if_sid>5100, 5104</if_sid> > <options>alert_by_email</options> > <regex>eth[0-10]</regex>
This isn't valid ossec regex. > <description>Interface entered in promiscuous(sniffing) mode.</description> > <group>promisc,</group> > </rule> > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
