Eric, short answer is unfortunately "no" (see my similar question recently 
under the subject "Rule Exception - How?").  The only portion of a rule 
that you can negate/exclude are for srcip and dstip (see 
http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html).

What I've found is that to exclude a subset of items you need to create a 
minimum of two rules.  The first rule to catch only what you want to 
exclude, the second rule to capture all the rest.  A simple example to 
simply ignore the ActiveSync log entries and do something with all the 
rest, using your log line examples and the rule you posted (not sure what 
rule #100210 is but assume it's to match the log lines for your rule):

<!--  Rule to ignore ActiveSync logs -->
<rule id="100211" level="0">
   <if_sid>100210</if_sid>
   <match>Microsoft-Server-ActiveSync</match>
   <description>NOISE:  Ignore ActiveSync log entries.</description>
</rule>

<!--  Rule to do something with all the other log lines -->
<rule id="100212" level="5">
   <if_sid>100210</if_sid>
   <regex>\.+\d+\s\w+.\w...@domain.com\.+ - 401 </regex>
   <description>Email authentication failure.</description>
</rule>


Hope that helps point you in the right direction.


On Friday, February 9, 2018 at 10:38:47 AM UTC-5, Eric wrote:
>
> Hello,
>
> I'm working on a few custom rules and I was wondering if there is a "not 
> equal to" item within OSSEC custom rules that I can use. I have the 
> following logs and I want everything but the ActiveSync ones.
>
> Feb  9 00:00:00 XXXXX 2018-02-09 04:59:52 10.13.1.15 POST /
> autodiscover/autodiscover.xml &CorrelationID=<empty>;; 443 - 
> us...@domain.com <javascript:> X.X.X.X 
> SfBForMac/16.13.184.0000+(Mac+OSX+10.12.6) 
> - 401 1 2148074254 0
>
> Feb  9 00:00:00 XXXXX 2018-02-09 04:59:52 10.13.1.15 POST 
> /EWS/Exchange.asmx &CorrelationID=<empty>;; 443 - us...@domain.com 
> <javascript:> X.X.X.X SfBForMac/16.13.184.0000+(Mac+OSX+10.12.6) - 401 1 
> 2148074254 0
>
> Feb  9 00:00:01 XXXXX 2018-02-09 04:59:58 10.13.1.28 POST 
> /Microsoft-Server-ActiveSync/default.eas ; 443 us...@domain.com 
> <javascript:> X.X.X.X Android-Mail/7.10.22.174510681.release - 200 0 0 15
>
> Right now I have the following logic and it works, but I'd prefer to just 
> do a not equal to Activesync so I don't have to add additional regexes if a 
> new log comes in.
>
> <rule id="100211" level="5">
>    <if_sid>100210</if_sid>
>    <regex>autodiscovery.xml|Exchange.asmx</regex>
>    <regex>\.+\d+\s\w+.\w...@domain.com <javascript:>\.+ - 401 </regex>
>    <description>Email authentication failure.</description>
> </rule>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to