[ossec-list] Re: Still getting those smbd alerts I am trying to ignore

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

hi Kayvan,

Parenthesis are used to extract data from the regexes, so if you want to use
them, you need to escape them with "\" before.

Like that:

<rule id="100080" level="0">
  <if_sid>1002</if_sid>
  <program_name>smbd</program_name>
  <regex>^\s*Connection denied from  \(0.0.0.0\)</regex>
  <description>Ignoring smbd denied connection from</description>
</rule>

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 2/17/07, Kayvan A. Sylvan <kayvan@xxxxxxxxxx> wrote:
> On Sat, Feb 17, 2007 at 05:23:36PM -0500, Michael Starks wrote:
> >
> > Kayvan A. Sylvan wrote:
> > > My local_rules.xml contains these snippets:
> > >
> > >   <rule id="100070" level="0">
> > >     <if_sid>1002</if_sid>
> > >     <program_name>smbd</program_name>
> > >     <regex>^\s*Denied connection from  (0.0.0.0)</regex>
> > >     <description>Ignoring smbd denied connection from</description>
> > >   </rule>
> > >
> > >   <rule id="100080" level="0">
> > >     <if_sid>1002</if_sid>
> > >     <program_name>smbd</program_name>
> > >     <regex>^\s*Connection denied from  (0.0.0.0)</regex>
> > >     <description>Ignoring smbd denied connection from</description>
> > >   </rule>
> >
> > Try changing this: <regex>^\s*Connection denied from  (0.0.0.0)</regex>
> > To this: <regex>^\s*Connection denied from 0.0.0.0</regex>
> > Or this: <match>Connection denied from 0.0.0.0</match>
>
> I don't see the reasoning. Is the log message processed in some way
> so that the parenthesis are not there when the match happens?
>
>                         ---Kayvan
> --
> Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
> Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
> http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)