I'm trying this:
<group name="syslog,linuxkernel,">
<!-- Limit promiscuous alerts to ethX interfaces only -->
<rule id="120001" level="8">
<if_sid>5104</if_sid>
<options>alert_by_email</options>
<match>device eth0</match>
<description>Interface entered in promiscuous(sniffing) mode.
</description>
<group>promisc,</group>
</rule>
<rule id="120002" level="0">
<if_sid>5104</if_sid>
<options>no_email_alert</options>
<description>Rule to ignore anything but eth0/eth1</description>
<group>promisec,</group>
</rule>
</group> <!-- SYSLOG,LINUXKERNEL -->
and getting this:
**Phase 1: Completed pre-decoding.
full event: 'Jan 8 14:23:34 host kernel: device eth0 entered
promiscuous mode'
hostname: 'host'
program_name: 'kernel'
log: ' device eth0 entered promiscuous mode'
**Phase 2: Completed decoding.
decoder: 'iptables'
**Phase 3: Completed filtering (rules).
Rule id: '120002'
Level: '0'
Description: 'Rule to ignore anything but eth0/eth1'
Jan 8 14:23:34 host kernel: device vead12 entered promiscuous mode
**Phase 1: Completed pre-decoding.
full event: 'Jan 8 14:23:34 host kernel: device vead12 entered
promiscuous mode'
hostname: 'host'
program_name: 'kernel'
log: ' device vead12 entered promiscuous mode'
**Phase 2: Completed decoding.
decoder: 'iptables'
**Phase 3: Completed filtering (rules).
Rule id: '120002'
Level: '0'
Description: 'Rule to ignore anything but eth0/eth1'
Referenced this previous question also:
https://groups.google.com/forum/#!searchin/ossec-list/ignore$20certain/ossec-list/C7-9avtnS5s/gpRMk-For1sJ
On Friday, January 8, 2016 at 9:18:33 PM UTC-5, BM wrote:
>
> Sorry, that was just a quick hack at what I had been trying. Wouldn't it
> match on the <match>device etho</match< or <regex>^device etho</regex>? The
> only rule that matches is 120002.
>
> On Friday, January 8, 2016 at 7:16:09 PM UTC-5, dan (ddpbsd) wrote:
>>
>>
>> On Jan 8, 2016 7:12 PM, "BM" <[email protected]> wrote:
>> >
>> > I'm trying to filter out the promiscuous alerts other than eth0/1
>> basically. I setup a rule to match device eth0 and a rule to ignore others,
>> however logtest always defaults to the rule 120002 with level 0. What's the
>> best way to filter these logs? I tested some regex in the 3rd rule, but my
>> regex foo is weak.
>> >
>> > <rule id="120001" level="8">
>> > <if_sid>5100, 5104</if_sid>
>> > <options>alert_by_email/options>
>> > <match>device eth0</match>
>> > <description>Interface entered in promiscuous(sniffing)
>> mode.</description>
>> > <group>promisc,</group>
>> > </rule>
>> >
>> > <rule id="120002" level="0">
>> > <if_sid>5100, 5104</if_sid>
>> > <options>no_email_alert</options>
>> > <description>Interface entered in promiscuous(sniffing)
>> mode.</description>
>> > <group>promisc,</group>
>> > </rule>
>> >
>> > <rule id="120003" level="8">
>> > <if_sid>5100, 5104</if_sid>
>> > <options>alert_by_email</options>
>> > <regex>eth[0-10]</regex>
>>
>> This isn't valid ossec regex.
>>
>> > <description>Interface entered in promiscuous(sniffing)
>> mode.</description>
>> > <group>promisc,</group>
>> > </rule>
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an email to [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
