[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: My own rules

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: My own rules
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Thu, 11 Oct 2007 20:12:40 -0300
Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 66.249.82.229 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=2EMzDcQtVT+DYlWG75m0kc0dKKWia55UrEBbY+zWEkA=; b=jfuawcTIXDLlwDPa4NsUIRMQEzc11KEh/hqNQqp5PlN4aKrDevdXXFVNaw1fN3o63ANI5X/w57ORRqimk6VgmgAGqUr3w8SNjZkOQSics0uhWX1+q6qeXWYgLOHHRXAXwOFiFw+eo31rUx44xRo8jsk/2F5G8X5VxMBMZwqlC0g=

Hi Dan,

For your first rule, "kernelgrsec" is decoded as the program_name, so
you need to change
your rule to:


<rule id="100010" level="0">
       <program_name>^kernelgrsec</program_name>
       <description>Kernelgrsec messages.</description>
</rule>


*the regex and match tags, only look for the log message after the
syslog header.

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 9/19/07, Dan <securitydan@xxxxxxxxx> wrote:
>
> Hi
>
> Thanks for your help.
> I was able to make my own rules. But with some of them i have a
> problem :-(
> I have a application which reports to syslog and i need to match some
> of these messages. But there is everytime the rule id 1002 triggering
> (syslog with $badwords)!
>
> I did in the local_rules.xml a new group <group
> name="syslog,errors,"> and entered my rules.
> For example:
> <rule id="100010" level="0">
>         <regex>kernelgrsec:|</regex>
>         <description>xxx</description>
> </rule>
> <rule id="100011" level="7">
>         <if_sid>100010</if_sid>
>         <match>^failure</match>
>         <description>xxx</description>
> </rule>
>
> The first rule won't generate an alert, but the second one should.
> But there always triggers the rule 1002. What error is in my filters?
>
> Thanks for your help.
>
> Regards,
> Dan
>
> Am 19.09.2007 um 03:18 schrieb Daniel Cid:
>
> >
> > Hi Daniel,
> >
> > Regarding how to write the rules, the following documents can help:
> >
> > http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
> > http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
> >
> > Thanks,
> >
> > --
> > Daniel B. Cid
> > dcid ( at ) ossec.net
> >
> > On 9/18/07, Peter M. Abraham <peter.m.abraham@xxxxxxxxx> wrote:
> >>
> >> Greetings Daniel:
> >>
> >> Custom rules can be placed in /var/ossec/rules/local_rules.xml
> >>
> >> Thank you.
> >>
> >>
>
>
>
>
>
>

Prev by Date: [ossec-list] Re: Re-installing OSSEC as an agent
Next by Date: [ossec-list] Re: Re-installing OSSEC as an agent
Previous by thread: [ossec-list] GUI Question
Next by thread: [ossec-list] How are rules enacted?
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.