[Ossec-list] OSSEC Hids Notification - Alert level 7

[daniel.cid at gmail.com (Daniel Cid)]

Hi Kayvan

You can do two things:

-Create a local_rules.xml file and include it on ossec.conf. On the local_rules,
you would add regexes to match these specific patterns that you want
to be ignored.

-If the log format is currently not supported (like this smbd), you
can create a smbd_rules.xml and add the rules you want there. After
that would be nice to
share it with everyone :)

Just as an example, I create a smbd_rules.xml that would ignore some of
these messages and set the right severity for the denied access one.

To test, add an "<include>smbd_rules.xml</include>" to your ossec.conf,
copy smbd_rules.xml to /var/ossec/rules/ and restart ossec.

You can download it from:
http://www.ossec.net/rules/smbd_rules.xml

Hope it helps :)

Thanks!

--
Daniel B. Cid
dcid @ ( at ) ossec.net


On 5/17/06, Kayvan A. Sylvan <kayvan at sylvan.com> wrote:
> Hi!
>
> I'm running the latest OSSEC.
>
> I get lots of these log messages. What's the recommended way of
> customizing the ruleset so that these types of log messages
> are ignored?
>
> Thanks.
>
> On Wed, May 17, 2006 at 11:49:09AM -0700, OSSEC HIDS wrote:
> > OSSEC HIDS Notification.
> > 2006 May 17 11:48:57
> >
> > Received From: /var/log/messages
> > Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
> > Portion of the log(s):
> >
> > smbd[12252]:   getpeername failed. Error was Transport endpoint is not connected
> >
> >
> >
> >  --END OF NOTIFICATION
> >
> >
> >
> > OSSEC HIDS Notification.
> > 2006 May 17 11:48:57
> >
> > Received From: /var/log/messages
> > Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
> > Portion of the log(s):
> >
> > smbd[12252]:   Denied connection from  (0.0.0.0)
> >
> >
> >
> >  --END OF NOTIFICATION
> >
> >
> >
> > OSSEC HIDS Notification.
> > 2006 May 17 11:48:57
> >
> > Received From: /var/log/messages
> > Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
> > Portion of the log(s):
> >
> > smbd[12252]:   getpeername failed. Error was Transport endpoint is not connected
> >
> >
> >
> >  --END OF NOTIFICATION
> >
> >
> >
> > OSSEC HIDS Notification.
> > 2006 May 17 11:48:57
> >
> > Received From: /var/log/messages
> > Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
> > Portion of the log(s):
> >
> > smbd[12252]:   Connection denied from 0.0.0.0
> >
> >
> >
> >  --END OF NOTIFICATION
> >
> >
> >
> > OSSEC HIDS Notification.
> > 2006 May 17 11:48:57
> >
> > Received From: /var/log/messages
> > Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
> > Portion of the log(s):
> >
> > smbd[12252]:   write_socket_data: write failure. Error = Connection reset by peer
> >
> >
> >
> >  --END OF NOTIFICATION
> >
> >
> >
> > OSSEC HIDS Notification.
> > 2006 May 17 11:48:57
> >
> > Received From: /var/log/messages
> > Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
> > Portion of the log(s):
> >
> > smbd[12252]:   write_socket: Error writing 5 bytes to socket 5: ERRNO = Connection reset by peer
> >
> >
> >
> >  --END OF NOTIFICATION
> >
> >
> >
> > OSSEC HIDS Notification.
> > 2006 May 17 11:48:57
> >
> > Received From: /var/log/messages
> > Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
> > Portion of the log(s):
> >
> > smbd[12252]:   Error writing 5 bytes to client. -1. (Connection reset by peer)
> >
> >
> >
> >  --END OF NOTIFICATION
> >
> >
> >
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>