I'm trying this:

<group name="syslog,linuxkernel,">
<!-- Limit promiscuous alerts to ethX interfaces only -->
<rule id="120001" level="8">
   <if_sid>5104</if_sid>
   <options>alert_by_email</options>
   <match>device eth0</match>
   <description>Interface entered in promiscuous(sniffing) mode.
</description>
   <group>promisc,</group>
 </rule>
<rule id="120002" level="0">
   <if_sid>5104</if_sid>
   <options>no_email_alert</options>
   <description>Rule to ignore anything but eth0/eth1</description>
   <group>promisec,</group>
</rule>
</group> <!-- SYSLOG,LINUXKERNEL -->



and getting this:

**Phase 1: Completed pre-decoding.
       full event: 'Jan  8 14:23:34 host kernel:  device eth0 entered 
promiscuous mode'
       hostname: 'host'
       program_name: 'kernel'
       log: ' device eth0 entered promiscuous mode'

**Phase 2: Completed decoding.
       decoder: 'iptables'

**Phase 3: Completed filtering (rules).
       Rule id: '120002'
       Level: '0'
       Description: 'Rule to ignore anything but eth0/eth1'
Jan  8 14:23:34 host kernel:  device vead12 entered promiscuous mode


**Phase 1: Completed pre-decoding.
       full event: 'Jan  8 14:23:34 host kernel:  device vead12 entered 
promiscuous mode'
       hostname: 'host'
       program_name: 'kernel'
       log: ' device vead12 entered promiscuous mode'

**Phase 2: Completed decoding.
       decoder: 'iptables'

**Phase 3: Completed filtering (rules).
       Rule id: '120002'
       Level: '0'
       Description: 'Rule to ignore anything but eth0/eth1'

Referenced this previous question also:
https://groups.google.com/forum/#!searchin/ossec-list/ignore$20certain/ossec-list/C7-9avtnS5s/gpRMk-For1sJ

On Friday, January 8, 2016 at 9:18:33 PM UTC-5, BM wrote:
>
> Sorry, that was just a quick hack at what I had been trying. Wouldn't it 
> match on the <match>device etho</match< or <regex>^device etho</regex>? The 
> only rule that matches is 120002.
>
> On Friday, January 8, 2016 at 7:16:09 PM UTC-5, dan (ddpbsd) wrote:
>>
>>
>> On Jan 8, 2016 7:12 PM, "BM" <[email protected]> wrote:
>> >
>> > I'm trying to filter out the promiscuous alerts other than eth0/1 
>> basically. I setup a rule to match device eth0 and a rule to ignore others, 
>> however logtest always defaults to the rule 120002 with level 0. What's the 
>> best way to filter these logs? I tested some regex in the 3rd rule, but my 
>> regex foo is weak.
>> >
>> > <rule id="120001" level="8">
>> >    <if_sid>5100, 5104</if_sid>
>> >    <options>alert_by_email/options>
>> >    <match>device eth0</match>
>> >    <description>Interface entered in promiscuous(sniffing) 
>> mode.</description>
>> >    <group>promisc,</group>
>> >  </rule>
>> >
>> > <rule id="120002" level="0">
>> >    <if_sid>5100, 5104</if_sid>
>> >    <options>no_email_alert</options>
>> >    <description>Interface entered in promiscuous(sniffing) 
>> mode.</description>
>> >    <group>promisc,</group>
>> >  </rule>
>> >
>> > <rule id="120003" level="8">
>> >    <if_sid>5100, 5104</if_sid>
>> >    <options>alert_by_email</options>
>> >    <regex>eth[0-10]</regex>
>>
>> This isn't valid ossec regex.
>>
>> >    <description>Interface entered in promiscuous(sniffing) 
>> mode.</description>
>> >    <group>promisc,</group>
>> >  </rule>
>> >
>> > -- 
>> >
>> > --- 
>> > You received this message because you are subscribed to the Google 
>> Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an email to [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to