Know How:Ignore Rules - OSSEC Wiki http://www.ossec.

net/wiki/Know_How:Ignore_Rules

Contents
1 Ignoring rules that generate false positives
1.1 Introduction
1.2 Ignoring syslog message
1.3 Ignoring snort message
1.4 Ignoring a specific IP

Ignoring rules that generate false positives

by Daniel B. Cid <dcid ( at ) ossec.net>

Introduction

When ossec parses a log, it will break it down into multiple fields (snort example):

Jun 3 15:34:33 saratoga.denmantire.com snort[27016]: [122:3:0] (portscan)

TCP Portsweep {PROTO255} 192.168.0.150 -> 192.168.1.80

time -> Jun 3 15:34:33

hostname -> saratoga.denmantire.com
program_name -> snort
log -> [122:3:0] (portscan) TCP Portsweep {PROTO255} 192.168.0.150 ->
192.168.1.80

After the decoding (decoders.xml), you will also have:

srcip -> 192.168.0.150

id -> 122:3:0

And may have dstip, srcport, etc. When you write a rule, you need to remember that the "regex"
and the "match" tag only look at the log option, which for the Snort logs would only start at "[122:3:0
..".

To look at the other parts of the message, you need to use "program_name", "srcip" or "hostname", etc.

Ignoring syslog message

1-Whenever you need to tweak a rule or create a new one, edit

/var/ossec/rules/local_rules.xml

Do not modify any of the default files, because you can break something else.

In addition to that, always use rule ids > 100,000, which are allocated for local modifications.

1 of 3 26/11/2010 3:15 PM
Know How:Ignore Rules - OSSEC Wiki http://www.ossec.net/wiki/Know_How:Ignore_Rules

2-Add the following rule to it:

<group name="local">
<rule id="100101" level="0">
<if_sid><Rule ID that is generating false positives></if_sid>
<description>Events ignored</description>
</rule>
</group>

For example, if you want to ignore rules 123 and 456, but only if the string "xyz" is in the log, create
the rule like that:

<group name="local">
<rule id="100101" level="0">
<if_sid>123, 456</if_sid>
<match>xyz</match>
<description>Events ignored</description>
</rule>
</group>

3- Restart ossec.

# /var/ossec/bin/ossec-control restart

Basically you are adding a "child" rule for the ones that are causing false positives and ignoring if a
specific pattern is found (inside match).

Ignoring snort message

If you want to ignore the log from the #Introduction, you can use "id", "srcip", etc for it.

Jun 3 15:34:33 saratoga.denmantire.com snort[27016]: [122:3:0] (portscan)

TCP Portsweep {PROTO255} 192.168.0.150 -> 192.168.1.80

To ignore every Snort id "122", comming from srcip 192.168.0.150 and from hostname "saratoga",
the following rule would do it:

<rule id="100202" level="0">

<if_sid>20151</if_sid>
<hostname>saratoga</hostname>
<program_name>^snort</program_name>
<srcip>192.168.0.150</srcip>
<id>^122:</id>
<description>Ignored snort event.</description>
</rule>

Ignoring a specific IP

If you want to ignore a specific IP, say of your security scanner, you can add a simple local rule
to ignore that ip (or list of IPs) for every alert.

1- Edit /var/ossec/rules/local_rules.xml and add at the bottom:

Single IP Address:

2 of 3 26/11/2010 3:15 PM
Know How:Ignore Rules - OSSEC Wiki http://www.ossec.net/wiki/Know_How:Ignore_Rules

<group name="local">
<rule id="100101" level="0">
<if_level>3</if_level>
<srcip>192.168.2.1</srcip>
<description>Ignoring ip 192.168.2.1</description>
</rule>

<!-- We need to use "match" if the IP is not being decoded -->

<rule id="100102" level="0">
<if_level>3</if_level>
<match>192.168.2.1</match>
<description>Ignoring ip 192.168.2.1</description>
</rule>
</group>

Multiple IP Address:

<group name="local">
<rule id="100101" level="0">
<if_level>3</if_level>
<srcip>192.168.2.1</srcip>
<srcip>192.168.2.2</srcip>
<srcip>192.168.2.3</srcip>
<description>Ignoring ip 192.168.2.1, 192.168.2.2, 192.168.2.3</description>
</rule>
</group>

2- Restart ossec server:

# /var/ossec/bin/ossec-control restart

Categories: Know how | Know how::rules | Ossec.conf | Rules

3 of 3 26/11/2010 3:15 PM