Try also running ossec-analysisd manually in debug mode (-d -d). It will probably give a little more info about the error in the configuration.
On Wed, Mar 2, 2016 at 7:30 AM, Fredrik <[email protected]> wrote: > Only a suggestion, but have you tried <srcip>2.3.4.0/24</srcip> given > that 2.3.4.5/24 is not a valid netadress with C-class mask?? > > /f > > > On Wednesday, March 2, 2016 at 12:24:59 PM UTC+1, calvin ratti wrote: >> >> Thanks all for your feedback. I added the following in the >> local_rules.xml after </group> --> and before <!-- EOF --> but running into >> errors: >> >> <rule id=“100101” level=“0”> >> <if_level>7</if_level> >> <srcip>1.2.3.4</srcip> >> <srcip>2.3.4.5/24 <http://64.37.231.0/24></srcip> >> <description>Ignoring rule any level above 7 from Whitelisted >> IPs</description> >> </rule> >> >> Error: >> >> "OSSEC analysisd: Testing rules failed. Configuration error. Exiting." >> >> Any ideas what I could be doing wrong? >> >> Cal >> >> On Wednesday, 2 March 2016 10:44:22 UTC+5:30, Daniel Cid wrote: >>> >>> That's correct as long as the srcip is being decoded. You may need two >>> rules just in case: >>> >>> <rule id=“100001” level=“0”> >>> <if_level>7</if_level> >>> <srcip>1.2.3.0/24</srcip> >>> <description>Ignoring rule any level above 7 from Whitelisted >>> IPs</description> >>> </rule> >>> >>> <rule id=“100002” level=“0”> >>> <if_level>7</if_level> >>> <regex> 1.2.3.\d+ </match> >>> <description>Ignoring rule any level above 7 from Whitelisted >>> IPs</description> >>> </rule> >>> >>> The second one is a bit dangerous as it may open you up to log >>> injections, but you can use that as a start or tie it down to only >>> some logs formats. >>> >>> thanks, >>> >>> On Tue, Mar 1, 2016 at 10:00 AM, calvin ratti <[email protected]> >>> wrote: >>> > Hi, >>> > >>> > I have a VA scanner which I have added in the Whitelist to prevent >>> Active >>> > Response from blocking the scans. What I also understand from here is >>> that >>> > to prevent email alerts, I should create a custom rule. Is the >>> following >>> > syntax proper or am i missing something: >>> > >>> > <rule id=“100001” level=“0”> >>> > <if_level>7</if_level> >>> > <srcip>1.2.3.4/24</srcip> >>> > <description>Ignoring rule any level above 7 from Whitelisted >>> > IPs</description> >>> > </rule> >>> > >>> > rule id is unique, we have configured to send email alerts only for >>> level 7 >>> > & above. >>> > >>> > -Cal >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. >>> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
