Worked like a champ. Thanks!
**Phase 1: Completed pre-decoding.
full event: 'Jan 8 14:23:34 host kernel: device eth0 entered
promiscuous mode'
hostname: 'host'
program_name: 'kernel'
log: ' device eth0 entered promiscuous mode'
**Phase 2: Completed decoding.
decoder: 'iptables'
**Phase 3: Completed filtering (rules).
Rule id: '120001'
Level: '8'
Description: 'Interface entered in promiscuous(sniffing) mode.'
**Alert to be generated.
**Phase 1: Completed pre-decoding.
full event: 'Jan 8 14:23:34 host kernel: device vead12 entered
promiscuous mode'
hostname: 'host'
program_name: 'kernel'
log: ' device vead12 entered promiscuous mode'
**Phase 2: Completed decoding.
decoder: 'iptables'
**Phase 3: Completed filtering (rules).
Rule id: '120002'
Level: '0'
Description: 'Rule to ignore anything but eth0/eth1'
Jan 8 14:23:34 host kernel: device eth0 entered promiscuous mode
On Friday, January 8, 2016 at 10:26:02 PM UTC-5, dan (ddpbsd) wrote:
>
>
> On Jan 8, 2016 10:03 PM, "BM" <[email protected] <javascript:>> wrote:
> >
> > I'm trying this:
> >
> > <group name="syslog,linuxkernel,">
> > <!-- Limit promiscuous alerts to ethX interfaces only -->
> >
> > <rule id="120001" level="8">
> >
> > <if_sid>5104</if_sid>
> > <options>alert_by_email</options>
> >
> > <match>device eth0</match>
> > <description>Interface entered in promiscuous(sniffing)
> mode.</description>
> > <group>promisc,</group>
> > </rule>
> > <rule id="120002" level="0">
> >
> > <if_sid>5104</if_sid>
> > <options>no_email_alert</options>
> > <description>Rule to ignore anything but eth0/eth1</description>
> > <group>promisec,</group>
> > </rule>
> > </group> <!-- SYSLOG,LINUXKERNEL -->
> >
>
> I'd reorder them. Have the one with no match first, and then the one with
> a match if_sid the first one.
> >
> >
> > and getting this:
> >
> > **Phase 1: Completed pre-decoding.
> > full event: 'Jan 8 14:23:34 host kernel: device eth0 entered
> promiscuous mode'
> > hostname: 'host'
> > program_name: 'kernel'
> > log: ' device eth0 entered promiscuous mode'
> >
> > **Phase 2: Completed decoding.
> > decoder: 'iptables'
> >
> > **Phase 3: Completed filtering (rules).
> > Rule id: '120002'
> > Level: '0'
> > Description: 'Rule to ignore anything but eth0/eth1'
> > Jan 8 14:23:34 host kernel: device vead12 entered promiscuous mode
> >
> >
> > **Phase 1: Completed pre-decoding.
> > full event: 'Jan 8 14:23:34 host kernel: device vead12 entered
> promiscuous mode'
> > hostname: 'host'
> > program_name: 'kernel'
> > log: ' device vead12 entered promiscuous mode'
> >
> > **Phase 2: Completed decoding.
> > decoder: 'iptables'
> >
> > **Phase 3: Completed filtering (rules).
> > Rule id: '120002'
> > Level: '0'
> > Description: 'Rule to ignore anything but eth0/eth1'
> >
> > Referenced this previous question also:
> >
> https://groups.google.com/forum/#!searchin/ossec-list/ignore$20certain/ossec-list/C7-9avtnS5s/gpRMk-For1sJ
> >
> >
> > On Friday, January 8, 2016 at 9:18:33 PM UTC-5, BM wrote:
> >>
> >> Sorry, that was just a quick hack at what I had been trying. Wouldn't
> it match on the <match>device etho</match< or <regex>^device etho</regex>?
> The only rule that matches is 120002.
> >>
> >> On Friday, January 8, 2016 at 7:16:09 PM UTC-5, dan (ddpbsd) wrote:
> >>>
> >>>
> >>> On Jan 8, 2016 7:12 PM, "BM" <[email protected]> wrote:
> >>> >
> >>> > I'm trying to filter out the promiscuous alerts other than eth0/1
> basically. I setup a rule to match device eth0 and a rule to ignore others,
> however logtest always defaults to the rule 120002 with level 0. What's the
> best way to filter these logs? I tested some regex in the 3rd rule, but my
> regex foo is weak.
> >>> >
> >>> > <rule id="120001" level="8">
> >>> > <if_sid>5100, 5104</if_sid>
> >>> > <options>alert_by_email/options>
> >>> > <match>device eth0</match>
> >>> > <description>Interface entered in promiscuous(sniffing)
> mode.</description>
> >>> > <group>promisc,</group>
> >>> > </rule>
> >>> >
> >>> > <rule id="120002" level="0">
> >>> > <if_sid>5100, 5104</if_sid>
> >>> > <options>no_email_alert</options>
> >>> > <description>Interface entered in promiscuous(sniffing)
> mode.</description>
> >>> > <group>promisc,</group>
> >>> > </rule>
> >>> >
> >>> > <rule id="120003" level="8">
> >>> > <if_sid>5100, 5104</if_sid>
> >>> > <options>alert_by_email</options>
> >>> > <regex>eth[0-10]</regex>
> >>>
> >>> This isn't valid ossec regex.
> >>>
> >>> > <description>Interface entered in promiscuous(sniffing)
> mode.</description>
> >>> > <group>promisc,</group>
> >>> > </rule>
> >>> >
> >>> > --
> >>> >
> >>> > ---
> >>> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> >>> > To unsubscribe from this group and stop receiving emails from it,
> send an email to [email protected].
> >>> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
