I stopped them all (which appeared to work fine) and start again. Here is
the rule and decoder I made for this (I want to alert only once if the same
ID (filepath) has alerted in the past minute):
<rule id="80100" level="7" frequency="2" timeframe="60" ignore="120">
<if_matched_sid>510</if_matched_sid>
<same_id />
<description>This is meant to reduce noise as these events happen in
batches with not much difference in meaning.</description>
</rule>
DECODER:
<decoder name="sample_decoder_setup">
<prematch>^(\.+) (\p/filepath\.+) </prematch>
<regex>(/filepath/\.+/mnt/\.+/)</regex>
<order>id</order>
</decoder>
Logtest returns the id I am looking for to match and that part works fine.
It only gets to the first 2 steps though, and does not match it with a rule
in logtest.
On Wednesday, April 5, 2017 at 12:48:21 PM UTC-7, dan (ddpbsd) wrote:
>
> On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams <[email protected]
> <javascript:>> wrote:
> > Yes I have, I've also tried to disable all the relevant changes I've
> made,
> > restart, and still have the same issue.
> >
>
> Try stopping the ossec processes, verify that ossec-analysisd has
> stopped (sometimes it doesn't and causes issues), and start it back
> up.
> Can you also post the changes you made?
>
> > On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote:
> >>
> >> On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams <[email protected]>
> wrote:
> >> > Hi all,
> >> >
> >> > I'm running into an issue where rule 510 is triggering and I'm
> getting
> >> > spammed with alerts but I can't seem to tune it correctly. What's
> weird
> >> > is
> >> > that I am still getting alerted for rule 510 for this log, but I
> can't
> >> > figure out how to get that to show in logtest. Basically, I am
> getting
> >> > spammed with rule 510 and trying to filter it down more and here is
> what
> >> > happens when I enter the log in logtest: .... any ideas on how to
> fix
> >> > this?
> >> >
> >> > **Phase 1: Completed pre-decoding.
> >> >
> >> > full event: 'File '/filepath/' is owned by root and has
> written
> >> > permissions to anyone.'
> >> >
> >> > hostname: 'hostname'
> >> >
> >> > program_name: '(null)'
> >> >
> >> > log: 'File '/filepath/' is owned by root and has written
> >> > permissions
> >> > to anyone.'
> >> >
> >> >
> >> > **Phase 2: Completed decoding.
> >> >
> >> > decoder: 'sample_decoder_setup'
> >> >
> >> > id: '/filepath/'
> >> >
> >>
> >> Did you restart the OSSEC processes on the server after making your
> >> modifications?
> >>
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
