[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: Hmmm... More on ignoring certain alerts
On Fri, Feb 16, 2007 at 11:20:15PM -0400, Daniel Cid wrote:
>
> Hi Kayvan,
>
> Whenever you want to use regexes, you need the regex tag. The "match" is
> only for simple pattern matching. Secondly, the "match" and "regex" tags
> only look at the log message, not at the process name of syslog header.
Okay, so fot this line:
Feb 17 05:37:03 server smbd[3776]: Denied connection from (0.0.0.0)
You are saying that program_name becomes "smbd" and that the log message
portion is " Denied connection from (0.0.0.0)", right?
Is it the string with spaces in front of it or is it the string without
spaces in front?
> <rule id="100070" level="0">
> <if_sid>1002</if_sid>
> <match>^Denied connection from</match>
> <description>Ignoring smbd denied connection from</description>
> </rule>
Can you use regex "^" in a match statement?
> You could also use the <program_name>smbd</program_name> to be
> more accurate. The following links can help:
>
> http://www.ossec.net/en/manual.html#rules
> http://www.ossec.net/wiki/index.php/FAQ
Thanks for the references. I'm starting to understand.
---Kayvan
--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.