Академический Документы
Профессиональный Документы
Культура Документы
net/wiki/Know_How:Ignore_Rules
Contents
1 Ignoring rules that generate false positives
1.1 Introduction
1.2 Ignoring syslog message
1.3 Ignoring snort message
1.4 Ignoring a specific IP
Introduction
When ossec parses a log, it will break it down into multiple fields (snort example):
And may have dstip, srcport, etc. When you write a rule, you need to remember that the "regex"
and the "match" tag only look at the log option, which for the Snort logs would only start at "[122:3:0
..".
To look at the other parts of the message, you need to use "program_name", "srcip" or "hostname", etc.
/var/ossec/rules/local_rules.xml
Do not modify any of the default files, because you can break something else.
In addition to that, always use rule ids > 100,000, which are allocated for local modifications.
1 of 3 26/11/2010 3:15 PM
Know How:Ignore Rules - OSSEC Wiki http://www.ossec.net/wiki/Know_How:Ignore_Rules
<group name="local">
<rule id="100101" level="0">
<if_sid><Rule ID that is generating false positives></if_sid>
<description>Events ignored</description>
</rule>
</group>
For example, if you want to ignore rules 123 and 456, but only if the string "xyz" is in the log, create
the rule like that:
<group name="local">
<rule id="100101" level="0">
<if_sid>123, 456</if_sid>
<match>xyz</match>
<description>Events ignored</description>
</rule>
</group>
3- Restart ossec.
# /var/ossec/bin/ossec-control restart
Basically you are adding a "child" rule for the ones that are causing false positives and ignoring if a
specific pattern is found (inside match).
If you want to ignore the log from the #Introduction, you can use "id", "srcip", etc for it.
To ignore every Snort id "122", comming from srcip 192.168.0.150 and from hostname "saratoga",
the following rule would do it:
Ignoring a specific IP
If you want to ignore a specific IP, say of your security scanner, you can add a simple local rule
to ignore that ip (or list of IPs) for every alert.
Single IP Address:
2 of 3 26/11/2010 3:15 PM
Know How:Ignore Rules - OSSEC Wiki http://www.ossec.net/wiki/Know_How:Ignore_Rules
<group name="local">
<rule id="100101" level="0">
<if_level>3</if_level>
<srcip>192.168.2.1</srcip>
<description>Ignoring ip 192.168.2.1</description>
</rule>
Multiple IP Address:
<group name="local">
<rule id="100101" level="0">
<if_level>3</if_level>
<srcip>192.168.2.1</srcip>
<srcip>192.168.2.2</srcip>
<srcip>192.168.2.3</srcip>
<description>Ignoring ip 192.168.2.1, 192.168.2.2, 192.168.2.3</description>
</rule>
</group>
# /var/ossec/bin/ossec-control restart
3 of 3 26/11/2010 3:15 PM