On Fri, Feb 9, 2018 at 1:37 PM, Eric <[email protected]> wrote: > Thanks Bruce. I didn't think about doing it that way but it definitely > works. I really wish OSSEC would allow ! regex or just a simple <not > match>Blah</not match>. >
If you're interested in adding this feature, we use github. You can submit a pull request at https://github.com/ossec/osec-hids > > On Friday, February 9, 2018 at 10:35:31 AM UTC-7, Bruce Westbrook wrote: >> >> Eric, short answer is unfortunately "no" (see my similar question recently >> under the subject "Rule Exception - How?"). The only portion of a rule that >> you can negate/exclude are for srcip and dstip (see >> http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html). >> >> What I've found is that to exclude a subset of items you need to create a >> minimum of two rules. The first rule to catch only what you want to >> exclude, the second rule to capture all the rest. A simple example to >> simply ignore the ActiveSync log entries and do something with all the rest, >> using your log line examples and the rule you posted (not sure what rule >> #100210 is but assume it's to match the log lines for your rule): >> >> <!-- Rule to ignore ActiveSync logs --> >> <rule id="100211" level="0"> >> <if_sid>100210</if_sid> >> <match>Microsoft-Server-ActiveSync</match> >> <description>NOISE: Ignore ActiveSync log entries.</description> >> </rule> >> >> <!-- Rule to do something with all the other log lines --> >> <rule id="100212" level="5"> >> <if_sid>100210</if_sid> >> <regex>\.+\d+\s\w+.\[email protected]\.+ - 401 </regex> >> <description>Email authentication failure.</description> >> </rule> >> >> >> Hope that helps point you in the right direction. >> >> >> On Friday, February 9, 2018 at 10:38:47 AM UTC-5, Eric wrote: >>> >>> Hello, >>> >>> I'm working on a few custom rules and I was wondering if there is a "not >>> equal to" item within OSSEC custom rules that I can use. I have the >>> following logs and I want everything but the ActiveSync ones. >>> >>> Feb 9 00:00:00 XXXXX 2018-02-09 04:59:52 10.13.1.15 POST >>> /autodiscover/autodiscover.xml &CorrelationID=<empty>;; 443 - >>> [email protected] X.X.X.X SfBForMac/16.13.184.0000+(Mac+OSX+10.12.6) - 401 1 >>> 2148074254 0 >>> >>> Feb 9 00:00:00 XXXXX 2018-02-09 04:59:52 10.13.1.15 POST >>> /EWS/Exchange.asmx &CorrelationID=<empty>;; 443 - [email protected] X.X.X.X >>> SfBForMac/16.13.184.0000+(Mac+OSX+10.12.6) - 401 1 2148074254 0 >>> >>> Feb 9 00:00:01 XXXXX 2018-02-09 04:59:58 10.13.1.28 POST >>> /Microsoft-Server-ActiveSync/default.eas ; 443 [email protected] X.X.X.X >>> Android-Mail/7.10.22.174510681.release - 200 0 0 15 >>> >>> Right now I have the following logic and it works, but I'd prefer to just >>> do a not equal to Activesync so I don't have to add additional regexes if a >>> new log comes in. >>> >>> <rule id="100211" level="5"> >>> <if_sid>100210</if_sid> >>> <regex>autodiscovery.xml|Exchange.asmx</regex> >>> <regex>\.+\d+\s\w+.\[email protected]\.+ - 401 </regex> >>> <description>Email authentication failure.</description> >>> </rule> >>> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
