I know it is something I may have missed but the local rule to ignore a false positive alert that I created is not working.
Here is the rule and the alert from my alert log.
My rule
<group name="local,syslog,">
<!-- Note that rule id 5711 is defined at the ssh_rules file
- as a ssh failed login. This is just an example
- since ip 1.1.1.1 shouldn't be used anywhere.
- Level 0 means ignore.
-->
<rule id="100001" level="0">
<if_sid>5711</if_sid>
<srcip>1.1.1.1</srcip>
<description>Example of rule that will ignore sshd </description>
<description>failed logins from IP 1.1.1.1.</description>
</rule>
<rule id="100101" level="0">
<if_sid>5104</if_sid>
<match>"KKWIRELESS kernel: device prism0 entered promiscuous mode"</match>
<description>KKWIRELESS Events ignored</description>
</rule>
<!-- This example will ignore ssh failed logins for the user name XYZABC.
-->
<!--
<rule id="100020" level="0">
<if_sid>5711</if_sid>
<user>XYZABC</user>
<description>Example of rule that will ignore sshd </description>
<description>failed logins for user XYZABC.</description>
</rule>
-->
<!-- Specify here a list of rules to ignore. -->
<!--
<rule id="100030" level="0">
<if_sid>12345, 23456, xyz, abc</if_sid>
<description>List of rules to be ignored.</description>
</rule>
-->
</group> <!-- SYSLOG,LOCAL -->
THIS is the alert from the Ossec alert log
** Alert 1181614751.1385744: mail - syslog,linuxkernel,promisc,
2007 Jun 11 21:19:11 KKWIRELESS->/Log/syslog-ng/KKWIRELESS/syslog.log
Rule: 5104 (level 8) -> 'Interface entered in promiscuous(sniffing) mode.'
Src IP: (none)
User: (none)
Jun 11 21:19:10 KKWIRELESS kernel: device prism0 entered promiscuous mode
What am I missing?
Dennis