[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Fine tune syslog_rules.xml Rule 1002

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Fine tune syslog_rules.xml Rule 1002
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Thu, 14 Jun 2007 22:53:23 -0300
Cc: "Steve West" <stevewest15@xxxxxxxxx>
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=th90drSIei3R3KTolLvkFBDkK2tTvSWLh6k0K91LmUntX6eOr6ryom+OYU/WwBQKr7z41fHw6bvYiAp4GZUqpuJ4nPJNu3cJOBN90+vQJVrJ2GSKNSsJ+1jRPnL9kUX0swzWWscWG853YxKAWmgt1C5IFIr0RJoXYVMbpVPXhBw=

Hi Steve,

This is easy to do with ossec. Just create a local rule to exclude
these messages
(include the following at /var/ossec/rules/local_rules.xml ):

<group name="local">
 <rule id="100101" level="0">
   <if_sid>1002</if_sid>
   <match>connect_error: getsockopt|Ignoring mirror|is neither
permitted nor</match>
   <description>Events ignored.</description>
 </rule>
</group>

What it means? Every time the rule 1002 is matched, the above will be
checked and
if matched, ignore (see level = 0).

For more info: http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net


On 6/13/07, Steve West <stevewest15@xxxxxxxxx> wrote:
>
> ossec version 1.2
>
> Hi,
>
> I'm trying to figure out if I can exclude the following messages without
> disabling the entire rule 1002 in ossec/rules/syslog_rules.xml:
>
> Received From: (Mail_Server77) xxx.xxx.xxx.xxx->/var/log/messages
> Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Jun 13 20:00:46 mail freshclam[30139]: connect_error: getsockopt(SO_ERROR): fd=5 error=110: Connection timed out
>
> Jun 13 19:02:17 web85 freshclam[1768]: Ignoring mirror xxx.xxx.xxx.xxx (due to previous errors)
>
> Jun 13 18:19:25 mail spf: {neutral|pass|fail} (xxx.xxx.xxx.xxx is neither permitted nor denied by SPF record at somedomain.com)
>
> I'm wondering if there is a way I can setup an exclude clause and how I can go about writing such a rule to prevent ossec from sending me an email whenever any of the above lines are printed to /var/log/messages?
>
> thx,
>
> SW
>
>
>
>
>

Follow-Ups:
- [ossec-list] DDOS protection
  - From: deltamails
- [ossec-list] Re: Fine tune syslog_rules.xml Rule 1002
  - From: Steve West

References:
- [ossec-list] Fine tune syslog_rules.xml Rule 1002
  - From: Steve West

Prev by Date: [ossec-list] ossec 1.2 failing to compile on Solaris 8
Next by Date: [ossec-list] Re: ossec 1.2 failing to compile on Solaris 8
Previous by thread: [ossec-list] Fine tune syslog_rules.xml Rule 1002
Next by thread: [ossec-list] DDOS protection
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.