Sorry, that was just a quick hack at what I had been trying. Wouldn't it match on the <match>device etho</match< or <regex>^device etho</regex>? The only rule that matches is 120002.
On Friday, January 8, 2016 at 7:16:09 PM UTC-5, dan (ddpbsd) wrote: > > > On Jan 8, 2016 7:12 PM, "BM" <[email protected] <javascript:>> wrote: > > > > I'm trying to filter out the promiscuous alerts other than eth0/1 > basically. I setup a rule to match device eth0 and a rule to ignore others, > however logtest always defaults to the rule 120002 with level 0. What's the > best way to filter these logs? I tested some regex in the 3rd rule, but my > regex foo is weak. > > > > <rule id="120001" level="8"> > > <if_sid>5100, 5104</if_sid> > > <options>alert_by_email/options> > > <match>device eth0</match> > > <description>Interface entered in promiscuous(sniffing) > mode.</description> > > <group>promisc,</group> > > </rule> > > > > <rule id="120002" level="0"> > > <if_sid>5100, 5104</if_sid> > > <options>no_email_alert</options> > > <description>Interface entered in promiscuous(sniffing) > mode.</description> > > <group>promisc,</group> > > </rule> > > > > <rule id="120003" level="8"> > > <if_sid>5100, 5104</if_sid> > > <options>alert_by_email</options> > > <regex>eth[0-10]</regex> > > This isn't valid ossec regex. > > > <description>Interface entered in promiscuous(sniffing) > mode.</description> > > <group>promisc,</group> > > </rule> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
