On Tue, Feb 26, 2013 at 3:46 AM, Fredrik <fredrik.ke...@gmail.com> wrote:
> Hi Stephane,
>
>
> Thanks for your post! Sorry, my bad - the example I sent was generic and not
> an exact message from the logs :( Please find a "real" sample below.
>
> Feb 26 09:54:19 192.168.x.y Cisco-WAC: *Feb 26 08:38:36.316:
> %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1281 Could not
> Register IP Add on MSCB. MSCB still in init state. Address:98:03:d8:ae:b2:34
>
# /var/ossec/bin/ossec-logtest
2013/02/26 15:23:05 ossec-testrule: INFO: Reading local decoder file.
2013/02/26 15:23:06 ossec-testrule: INFO: Started (pid: 32596).
ossec-testrule: Type one log per line.
Feb 26 09:54:19 192.168.x.y Cisco-WAC: *Feb 26 08:38:36.316:
%APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1281 Could not
Register IP Add on MSCB. MSCB still in init state.
Address:98:03:d8:ae:b2:34
**Phase 1: Completed pre-decoding.
full event: 'Feb 26 09:54:19 192.168.x.y Cisco-WAC: *Feb 26
08:38:36.316: %APF-4-REGISTER_IPADD_ON_MSCB_FAILED:
apf_foreignap.c:1281 Could not Register IP Add on MSCB. MSCB still in
init state. Address:98:03:d8:ae:b2:34'
hostname: '192.168.x.y'
program_name: 'Cisco-WAC'
log: '*Feb 26 08:38:36.316:
%APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1281 Could not
Register IP Add on MSCB. MSCB still in init state.
Address:98:03:d8:ae:b2:34'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
There is no srcip, so of course the rule won't match.
> ossec-logtest doesn't seem to accept the -f switch (in my install), did you
> mean -d for debug? Attached the output I got with -d.
>
> Best,
> Fredrik
>
> On Tuesday, February 26, 2013 12:07:51 AM UTC+1, srossan wrote:
>>
>> I don't see how your log is related to rule 1002 ( <if_sid>1002</if_sid>).
>> I suggest you remove this line as well. You can test your new rule with
>> ossec-logtest -f, it will give you insight on your rules hierarchy.
>>
>> -Stephane
>>
>> On Feb 25, 2013 2:56 PM, "Kevin Kelly" <ke...@whitman.edu> wrote:
>> >
>> > I believe the problem is: <srcip>192.168.x.y</srcip>
>> >
>> > There is no IP address in the log entry, so the source IP will never
>> > match. Maybe you could use <hostname></hostname> instead?
>> >
>> > --
>> > Kevin Kelly
>> > Director, Network Technology
>> > Whitman College
>> >
>> > ________________________________
>> > From: "Fredrik" <fredri...@gmail.com>
>> > To: ossec...@googlegroups.com
>>
>> > Sent: Monday, February 25, 2013 1:49:14 AM
>> > Subject: [ossec-list] Rule creation to supress email alert
>> >
>> >
>> > Hello!
>> >
>> > I have read some of the similar posts, but can't seem to get it to work.
>> > I'm trying to stop the following (syslog) message from generating an alert
>> > -
>> > while the underlying cause is being dealt with:
>> >
>> > Feb 25 09:40:31.464 apf_foreignap.c:1281
>> > APF-4-REGISTER_IPADD_ON_MSCB_FAILED: Could not Register IP Add on MSCB.
>> > MSCB
>> > still in init state. Address:00:40:96:a7:50:c6
>> >
>> > I have added a rule to local_rules.xml:
>> >
>> > <!-- This was put in place to silence alerts generated by the Cisco WAC
>> > -->
>> > <rule id="100002" level="2">
>> > <if_sid>1002</if_sid>
>> > <srcip>192.168.x.y</srcip>
>> > <match>%APF-4-REGISTER_IPADD_ON_MSCB_FAILED: </match>
>> > <options>no_email_alert</options>
>> > </rule>
>> >
>> > I have tried different match-strings, with/without ip-address but I
>> > can't seem to get a hit on my custom filter when using the ossec-logtest
>> > binary and the message keeps generating email alerts,
>> >
>> > What have I got wrong?!
>> >
>> > Fredrik
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an email to ossec-list+...@googlegroups.com.
>>
>> > For more options, visit https://groups.google.com/groups/opt_out.
>> >
>> >
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an email to ossec-list+...@googlegroups.com.
>>
>> > For more options, visit https://groups.google.com/groups/opt_out.
>> >
>> >
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
