Yeah I know, it takes some time to really get everything (havent manage to understand everything yet :) ). I plan on contributing some tutorials when I'm not as busy as I am right now.
On Thu, Mar 11, 2010 at 6:10 PM, Jefferson, Shawn < shawn.jeffer...@bcferries.com> wrote: > Thanks, that helps a lot. The documentation on ossec is somewhat sparse, > it’s difficult to find this stuff out looking at the manual and the wiki. > > > ------------------------------ > > *From:* ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] *On > Behalf Of *oscar schneider > *Sent:* Thursday, March 11, 2010 8:43 AM > > *To:* ossec-list@googlegroups.com > *Subject:* Re: [ossec-list] Re: Local Rules > > > > P.S.: > > <match> does indeed not work for "snort" since this string is predecoded as > the program name and does not show up in the rest of the log (which is > predecoded as "log"): > > 2010/03/11 17:38:16 ossec-testrule: INFO: Started (pid: 32258). > ossec-testrule: Type one log per line. > > Mar 10 04:00:02 bcfids01 snort[4701]: Check for Bounce Attacks: YES > alert: YES > > > **Phase 1: Completed pre-decoding. > full event: 'Mar 10 04:00:02 bcfids01 snort[4701]: Check for > Bounce Attacks: YES alert: YES' > hostname: 'bcfids01' > *program_name*: 'snort' > *log:* ' Check for Bounce Attacks: YES alert: YES' > > > As far as I know <match> and <regex> in the rule matching step is only > applied to the field predecoded as log. > If I'm wrong about this, please let me know. > > On Thu, Mar 11, 2010 at 5:37 PM, oscar schneider <os4...@googlemail.com> > wrote: > > Hey, > > using program name is sufficient if you want to exclude about all snort > logs that would match rule 1002. > There is no extra <match> option needed. Instead of <programe_name> you can > also use <decoded_as>snort</decoded_as> or both (cf. decoders.xml if there > is any other program_name affected by the snort decoder, if there isn't, > decoded_as is fine. ). > > Important is to realize the consequences such a rule can have. A local rule > like > > <rule id="111111" level="0"> > > > <if_sid>1002</if_sid> > > <decoded_as>snort</decoded_as> > > <!-- or alternatively > > > <program_name>snort</program_name> > > --> > </rule> > > will result in no notification for every event that is decoded as snort and > matches rule 1002 and is not also matching any other rule with a lower id > than 111111. > > So it might be that you exclude some snort messages you'd actually like to > be notified about. > > > > On Wed, Mar 10, 2010 at 9:59 PM, Doug Burks <mub...@gmail.com> wrote: > > The decoder puts "snort" in program_name. Perhaps <match> doesn't > apply to program_name. What happens if you use the program_name line > from my rule and NO match line? > Doug > > >
