|
I know it is something I may have missed but the local rule to ignore a false positive alert that I created is not working. Here is the rule and the alert from my alert log. My rule <group name="local,syslog,">
<!-- Note that rule id 5711 is defined at the ssh_rules file - as a ssh failed login. This is just an example - since ip 1.1.1.1 shouldn't be used anywhere. - Level 0 means ignore. --> <rule id="100001" level="0"> <if_sid>5711</if_sid> <srcip>1.1.1.1</srcip> <description>Example of rule that will ignore sshd </description> <description>failed logins from IP 1.1.1.1.</description> </rule>
<rule id="100101" level="0"> <if_sid>5104</if_sid> <match>"KKWIRELESS kernel: device prism0 entered promiscuous mode"</match> <description>KKWIRELESS Events ignored</description> </rule>
<!-- This example will ignore ssh failed logins for the user name XYZABC. --> <!-- <rule id="100020" level="0"> <if_sid>5711</if_sid> <user>XYZABC</user> <description>Example of rule that will ignore sshd </description> <description>failed logins for user XYZABC.</description> </rule> -->
<!-- Specify here a list of rules to ignore. --> <!-- <rule id="100030" level="0"> <if_sid>12345, 23456, xyz, abc</if_sid> <description>List of rules to be ignored.</description> </rule> -->
</group> <!-- SYSLOG,LOCAL -->
THIS is the alert from the Ossec alert log
** Alert 1181614751.1385744: mail - syslog,linuxkernel,promisc, 2007 Jun 11 21:19:11 KKWIRELESS->/Log/syslog-ng/KKWIRELESS/syslog.log Rule: 5104 (level 8) -> 'Interface entered in promiscuous(sniffing) mode.' Src IP: (none) User: (none) Jun 11 21:19:10 KKWIRELESS kernel: device prism0 entered promiscuous mode
What am I missing? Dennis |