[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: ignore rule not working

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: ignore rule not working
From: Iñaki Rodríguez "[ackstorm]" <irodriguez@xxxxxxxxxxx>
Date: Mon, 11 Jun 2007 16:47:52 +0200
Content-transfer-encoding: quoted-printable


Hi Dennis,

the rule is not correct because:

Jun 11 21:19:10 (1)KKWIRELESS (2)kernel: (3)device prism0 entered
promiscuous mode

(1) is hostname
(2) is program_name
(3) is log

The match directive applies only to log part so the correct rule is
something like this:

<rule id="100101" level="0">

   <if_sid>5104</if_sid>

  <match>device prism0 entered promiscuous mode</match>
  <description>KKWIRELESS Events ignored</description>
</rule>

You can use hostname and program_name directive to fine-grain the rule.

I hope this help you a bit :)

Greetings


El lun, 11-06-2007 a las 09:14 -0500, Dennis Borkhus-Veto escribió:
> I know it is something I may have missed but the local rule to ignore
> a false positive alert that I created is not working.
> 
> Here is the rule and the alert from my alert log.
> 
> My rule 
> 
> <group name="local,syslog,">
> 
>  
> 
>   <!-- Note that rule id 5711 is defined at the ssh_rules file
> 
>     -  as a ssh failed login. This is just an example
> 
>     -  since ip 1.1.1.1 shouldn't be used anywhere.
> 
>     -  Level 0 means ignore.
> 
>     -->
> 
>   <rule id="100001" level="0">
> 
>     <if_sid>5711</if_sid>
> 
>     <srcip>1.1.1.1</srcip>
> 
>     <description>Example of rule that will ignore sshd </description>
> 
>     <description>failed logins from IP 1.1.1.1.</description>
> 
>   </rule>
> 
>   
> 
>  <rule id="100101" level="0">
> 
>    <if_sid>5104</if_sid>
> 
>    <match>"KKWIRELESS kernel: device prism0 entered promiscuous
> mode"</match>
> 
>    <description>KKWIRELESS Events ignored</description>
> 
>  </rule>
> 
>   
> 
>   <!-- This example will ignore ssh failed logins for the user name
> XYZABC.
> 
>     -->
> 
>   <!--  
> 
>   <rule id="100020" level="0">
> 
>     <if_sid>5711</if_sid>
> 
>     <user>XYZABC</user>
> 
>     <description>Example of rule that will ignore sshd </description>
> 
>     <description>failed logins for user XYZABC.</description>
> 
>   </rule>
> 
>   -->
> 
>   
> 
>   
> 
>   <!-- Specify here a list of rules to ignore. -->
> 
>   <!--
> 
>   <rule id="100030" level="0">
> 
>     <if_sid>12345, 23456, xyz, abc</if_sid>
> 
>     <description>List of rules to be ignored.</description>
> 
>   </rule>
> 
>   -->
> 
>    
> 
> </group> <!-- SYSLOG,LOCAL -->
> 
>  
> 
> THIS is the alert from the Ossec alert log
> 
>  
> 
> ** Alert 1181614751.1385744: mail  - syslog,linuxkernel,promisc,
> 
> 2007 Jun 11 21:19:11 KKWIRELESS->/Log/syslog-ng/KKWIRELESS/syslog.log
> 
> Rule: 5104 (level 8) -> 'Interface entered in promiscuous(sniffing)
> mode.'
> 
> Src IP: (none)
> 
> User: (none)
> 
> Jun 11 21:19:10 KKWIRELESS kernel: device prism0 entered promiscuous
> mode
> 
>  
> 
>  
> 
> What am I missing?
> 
> Dennis
> 
> 
-- 
---
Iñaki Rodríguez
irodriguez@xxxxxxxxxxx
Departamento de Sistemas

ACK STORM, S.L.
http://www.ackstorm.es

References:
- [ossec-list] ignore rule not working
  - From: Dennis Borkhus-Veto

Prev by Date: [ossec-list] Re: ignore rule not working
Next by Date: [ossec-list] Re: opening a local file for scanning
Previous by thread: [ossec-list] Re: ignore rule not working
Next by thread: [ossec-list] iptables firewall issues
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.