On Wed, Oct 10, 2018 at 1:09 PM Monah Baki <[email protected]> wrote:
>
> Hi all,
>
> I am running the latest OSSEC and getting the following emails (lots of it)
>
> OSSEC HIDS Notification.
>
> 2018 Oct 10 13:05:36
>
>
>
> Received From: nlbslPws1->/var/log/messages
>
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
>
> Portion of the log(s):
>
>
>
> Oct 10 13:05:34 nlbslPws1 bro_dns: 1539191117.237505
> Cm7plw22kNVV4IKZl1 172.16.90.80 40652 172.16.64.44
> 53 udp 30263 apollo.ntis.gov - -
> - - 0 NOERROR T
> F F T 0
> 10.124.229.22 86400.000000 F
>
>
>
>
>
>
> I added in my syslog_rules.xml the following:
>
>
> <rule id="400001" level="0">
>
> <if_sid>1002</if_sid>
>
> <program_name>bro_dns</program_name>
>
> <match>NOERROR$</match>
>
I don't think NOERROR is at the end of the line, it's just a very long line.
> <description>ignore this message</description>
>
> </rule>
>
Using ossec-logtest gives me:
**Phase 1: Completed pre-decoding.
full event: 'Oct 10 13:05:34 nlbslPws1 bro_dns:
1539191117.237505 Cm7plw22kNVV4IKZl1 172.16.90.80
40652 172.16.64.44 53 udp
30263 apollo.ntis.gov - - -
- 0 NOERROR T F
F T 0 10.124.229.22
86400.000000 F'
hostname: 'nlbslPws1'
program_name: 'bro_dns'
log: '1539191117.237505 Cm7plw22kNVV4IKZl1
172.16.90.80 40652 172.16.64.44 53
udp 30263 apollo.ntis.gov - - -
- 0 NOERROR T
F F T 0
10.124.229.22 86400.000000 F'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
Adding this rule to local_rules.xml:
<rule id="710000" level="0">
<program_name>bro_dns</program_name>
<match>NOERROR</match>
<description>No error.</description>
</rule>
gives me:
**Phase 1: Completed pre-decoding.
full event: 'Oct 10 13:05:34 nlbslPws1 bro_dns:
1539191117.237505 Cm7plw22kNVV4IKZl1 172.16.90.80
40652 172.16.64.44 53 udp
30263 apollo.ntis.gov - - -
- 0 NOERROR T F
F T 0 10.124.229.22
86400.000000 F'
hostname: 'nlbslPws1'
program_name: 'bro_dns'
log: '1539191117.237505 Cm7plw22kNVV4IKZl1
172.16.90.80 40652 172.16.64.44 53
udp 30263 apollo.ntis.gov - - -
- 0 NOERROR T
F F T 0
10.124.229.22 86400.000000 F'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '710000'
Level: '0'
Description: 'No error.'
>
>
> I am still getting the emails.
>
>
> Any idea what I am missing?
>
>
> Thanks
> Monah
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
