Thanks Bruce. I didn't think about doing it that way but it definitely works. I really wish OSSEC would allow ! regex or just a simple <not match>Blah</not match>.
On Friday, February 9, 2018 at 10:35:31 AM UTC-7, Bruce Westbrook wrote: > > Eric, short answer is unfortunately "no" (see my similar question recently > under the subject "Rule Exception - How?"). The only portion of a rule > that you can negate/exclude are for srcip and dstip (see > http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html). > > What I've found is that to exclude a subset of items you need to create a > minimum of two rules. The first rule to catch only what you want to > exclude, the second rule to capture all the rest. A simple example to > simply ignore the ActiveSync log entries and do something with all the > rest, using your log line examples and the rule you posted (not sure what > rule #100210 is but assume it's to match the log lines for your rule): > > <!-- Rule to ignore ActiveSync logs --> > <rule id="100211" level="0"> > <if_sid>100210</if_sid> > <match>Microsoft-Server-ActiveSync</match> > <description>NOISE: Ignore ActiveSync log entries.</description> > </rule> > > <!-- Rule to do something with all the other log lines --> > <rule id="100212" level="5"> > <if_sid>100210</if_sid> > <regex>\.+\d+\s\w+.\[email protected]\.+ - 401 </regex> > <description>Email authentication failure.</description> > </rule> > > > Hope that helps point you in the right direction. > > > On Friday, February 9, 2018 at 10:38:47 AM UTC-5, Eric wrote: >> >> Hello, >> >> I'm working on a few custom rules and I was wondering if there is a "not >> equal to" item within OSSEC custom rules that I can use. I have the >> following logs and I want everything but the ActiveSync ones. >> >> Feb 9 00:00:00 XXXXX 2018-02-09 04:59:52 10.13.1.15 POST / >> autodiscover/autodiscover.xml &CorrelationID=<empty>;; 443 - >> [email protected] X.X.X.X SfBForMac/16.13.184.0000+(Mac+OSX+10.12.6) - >> 401 1 2148074254 0 >> >> Feb 9 00:00:00 XXXXX 2018-02-09 04:59:52 10.13.1.15 POST >> /EWS/Exchange.asmx &CorrelationID=<empty>;; 443 - [email protected] >> X.X.X.X SfBForMac/16.13.184.0000+(Mac+OSX+10.12.6) - 401 1 2148074254 0 >> >> Feb 9 00:00:01 XXXXX 2018-02-09 04:59:58 10.13.1.28 POST >> /Microsoft-Server-ActiveSync/default.eas ; 443 [email protected] X.X.X.X >> Android-Mail/7.10.22.174510681.release >> - 200 0 0 15 >> >> Right now I have the following logic and it works, but I'd prefer to just >> do a not equal to Activesync so I don't have to add additional regexes if a >> new log comes in. >> >> <rule id="100211" level="5"> >> <if_sid>100210</if_sid> >> <regex>autodiscovery.xml|Exchange.asmx</regex> >> <regex>\.+\d+\s\w+.\[email protected]\.+ - 401 </regex> >> <description>Email authentication failure.</description> >> </rule> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
