On Jan 8, 2016 10:03 PM, "BM" <[email protected]> wrote: > > I'm trying this: > > <group name="syslog,linuxkernel,"> > <!-- Limit promiscuous alerts to ethX interfaces only --> > > <rule id="120001" level="8"> > > <if_sid>5104</if_sid> > <options>alert_by_email</options> > > <match>device eth0</match> > <description>Interface entered in promiscuous(sniffing) mode.</description> > <group>promisc,</group> > </rule> > <rule id="120002" level="0"> > > <if_sid>5104</if_sid> > <options>no_email_alert</options> > <description>Rule to ignore anything but eth0/eth1</description> > <group>promisec,</group> > </rule> > </group> <!-- SYSLOG,LINUXKERNEL --> >
I'd reorder them. Have the one with no match first, and then the one with a match if_sid the first one. > > > and getting this: > > **Phase 1: Completed pre-decoding. > full event: 'Jan 8 14:23:34 host kernel: device eth0 entered promiscuous mode' > hostname: 'host' > program_name: 'kernel' > log: ' device eth0 entered promiscuous mode' > > **Phase 2: Completed decoding. > decoder: 'iptables' > > **Phase 3: Completed filtering (rules). > Rule id: '120002' > Level: '0' > Description: 'Rule to ignore anything but eth0/eth1' > Jan 8 14:23:34 host kernel: device vead12 entered promiscuous mode > > > **Phase 1: Completed pre-decoding. > full event: 'Jan 8 14:23:34 host kernel: device vead12 entered promiscuous mode' > hostname: 'host' > program_name: 'kernel' > log: ' device vead12 entered promiscuous mode' > > **Phase 2: Completed decoding. > decoder: 'iptables' > > **Phase 3: Completed filtering (rules). > Rule id: '120002' > Level: '0' > Description: 'Rule to ignore anything but eth0/eth1' > > Referenced this previous question also: > https://groups.google.com/forum/#!searchin/ossec-list/ignore$20certain/ossec-list/C7-9avtnS5s/gpRMk-For1sJ > > > On Friday, January 8, 2016 at 9:18:33 PM UTC-5, BM wrote: >> >> Sorry, that was just a quick hack at what I had been trying. Wouldn't it match on the <match>device etho</match< or <regex>^device etho</regex>? The only rule that matches is 120002. >> >> On Friday, January 8, 2016 at 7:16:09 PM UTC-5, dan (ddpbsd) wrote: >>> >>> >>> On Jan 8, 2016 7:12 PM, "BM" <[email protected]> wrote: >>> > >>> > I'm trying to filter out the promiscuous alerts other than eth0/1 basically. I setup a rule to match device eth0 and a rule to ignore others, however logtest always defaults to the rule 120002 with level 0. What's the best way to filter these logs? I tested some regex in the 3rd rule, but my regex foo is weak. >>> > >>> > <rule id="120001" level="8"> >>> > <if_sid>5100, 5104</if_sid> >>> > <options>alert_by_email/options> >>> > <match>device eth0</match> >>> > <description>Interface entered in promiscuous(sniffing) mode.</description> >>> > <group>promisc,</group> >>> > </rule> >>> > >>> > <rule id="120002" level="0"> >>> > <if_sid>5100, 5104</if_sid> >>> > <options>no_email_alert</options> >>> > <description>Interface entered in promiscuous(sniffing) mode.</description> >>> > <group>promisc,</group> >>> > </rule> >>> > >>> > <rule id="120003" level="8"> >>> > <if_sid>5100, 5104</if_sid> >>> > <options>alert_by_email</options> >>> > <regex>eth[0-10]</regex> >>> >>> This isn't valid ossec regex. >>> >>> > <description>Interface entered in promiscuous(sniffing) mode.</description> >>> > <group>promisc,</group> >>> > </rule> >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
