From OSSEC Wiki
Contents |
Ignoring rules that generate false positives
- by Daniel B. Cid <dcid ( at ) ossec.net>
Introduction
When ossec parses a log, it will break it down into multiple fields (snort example):
Jun 3 15:34:33 saratoga.denmantire.com snort[27016]: [122:3:0] (portscan)
TCP Portsweep {PROTO255} 192.168.0.150 -> 192.168.1.80
time -> Jun 3 15:34:33
hostname -> saratoga.denmantire.com
program_name -> snort
log -> [122:3:0] (portscan) TCP Portsweep {PROTO255} 192.168.0.150 ->
192.168.1.80
After the decoding (decoders.xml), you will also have:
srcip -> 192.168.0.150 id -> 122:3:0
And may have dstip, srcport, etc. When you write a rule, you need to remember that the "regex"
and the "match" tag only look at the log option, which for the Snort logs would only start at "[122:3:0 ..".
To look at the other parts of the message, you need to use "program_name", "srcip" or "hostname", etc.
Ignoring syslog message
1-Whenever you need to tweak a rule or create a new one, go to /var/ossec/rules/local_rules.xml and make your changes in there. Do not modify any of the default files, because you can break something else. In addition to that, always use rule ids > 100,000, which are allocated for local modifications.
2-Add the following rule to it: <group name="local"> <rule id="100101" level="0"> <if_sid><Rule ID that is generating false positives></if_sid> <description>Events ignored</description> </rule> </group> For example, if you want to ignore rules 123 and 456, but only if the string "xyz" is in the log, create the rule like that: <group name="local"> <rule id="100101" level="0"> <if_sid>123, 456</if_sid> <match>xyz</match> <description>Events ignored</description> </rule> </group>
3- Restart ossec.
Basically you are adding a "child" rule for the ones that are causing false
positives and ignoring if a specific pattern is found (inside match).
Ignoring snort message
If you want to ignore the log from the #Introduction, you can use "id", "srcip", etc for it.
Jun 3 15:34:33 saratoga.denmantire.com snort[27016]: [122:3:0] (portscan)
TCP Portsweep {PROTO255} 192.168.0.150 -> 192.168.1.80
To ignore every Snort id "122", comming from srcip 192.168.0.150 and from hostname "saratoga",
the following rule would do it:
<rule id="100202" level="0"> <if_sid>20151</if_sid> <hostname>saratoga</hostname> <program_name>^snort</program_name> <srcip>192.168.0.150</srcip> <id>^122:</id> <description>Ignored snort event.</description> </rule>
Ignoring a specific IP
If you want to ignore a specific IP, say of your security scanner, you can add a simple local rule
to ignore that ip (or list of IPs) for every alert.
- 1- Edit /var/ossec/rules/local_rules.xml and add at the bottom:
Single IP Address:
<group name="local"> <rule id="100101" level="0"> <if_level>3</if_level> <srcip>192.168.2.1</srcip> <description>Ignoring ip 192.168.2.1</description> </rule> <!-- We need to use "match" if the IP is not being decoded --> <rule id="100102" level="0"> <if_level>3</if_level> <match>192.168.2.1</match> <description>Ignoring ip 192.168.2.1</description> </rule> </group>
Multiple IP Address:
<group name="local"> <rule id="100101" level="0"> <if_level>3</if_level> <srcip>192.168.2.1</srcip> <srcip>192.168.2.2</srcip> <srcip>192.168.2.3</srcip> <description>Ignoring ip 192.168.2.1, 192.168.2.2, 192.168.2.3</description> </rule> </group>
- 2- Restart ossec server:
# /var/ossec/bin/ossec-control restart