Hi again,
Not completely sure what I did to resolve the issue, but it seems like the
messages are supressed now. I tried with a few changes to the rule, but I'm
back to using now:
<rule id="100002" level="2">
<if_sid>1002</if_sid>
<hostname>192.168.x.y</hostname>
<match>%APF-4-REGISTER_IPADD_ON_MSCB_FAILED: </match>
<options>no_email_alert</options>
</rule>
If I run it through ./ossec-logtest -d , I can see that my local_rule is
triggered:
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '100002'
Level: '2'
Description: '(null)'
**Alert to be generated.
Best regards.
Fredrik
On Tuesday, February 26, 2013 4:04:24 PM UTC+1, srossan wrote:
>
> HI Fredrik,
>
> I really meant ossec-logtest -f.
> Here is my example with your log:
> # /apps/ossec/bin/ossec-logtest -f
> 2013/02/26 14:54:43 ossec-testrule: INFO: Reading local decoder file.
> 2013/02/26 14:54:43 ossec-testrule: INFO: Started (pid: 3245).
> ossec-testrule: Type one log per line.
>
> Feb 26 09:54:19 192.168.x.y Cisco-WAC: *Feb 26 08:38:36.316:
> %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1281 Could not
> Register IP Add on MSCB. MSCB still in init state. Address:98:03:d8:ae:b2:34
>
>
> **Phase 1: Completed pre-decoding.
> full event: 'Feb 26 09:54:19 192.168.x.y Cisco-WAC: *Feb 26
> 08:38:36.316: %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1281
> Could not Register IP Add on MSCB. MSCB still in init state.
> Address:98:03:d8:ae:b2:34'
> hostname: '192.168.x.y'
> program_name: 'Cisco-WAC'
> log: '*Feb 26 08:38:36.316: %APF-4-REGISTER_IPADD_ON_MSCB_FAILED:
> apf_foreignap.c:1281 Could not Register IP Add on MSCB. MSCB still in init
> state. Address:98:03:d8:ae:b2:34'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> **Rule debugging:
> Trying rule: 1 - Generic template for all syslog rules.
> *Rule 1 matched.
> *Trying child rules.
> Trying rule: 5500 - Grouping of the pam_unix rules.
> Trying rule: 5700 - SSHD messages grouped.
> Trying rule: 5600 - Grouping for the telnetd rules
> Trying rule: 2100 - NFS rules grouped.
> Trying rule: 2507 - OpenLDAP group.
> Trying rule: 2550 - rshd messages grouped.
> Trying rule: 2701 - Ignoring procmail messages.
> Trying rule: 2800 - Pre-match rule for smartd.
> Trying rule: 5100 - Pre-match rule for kernel messages
> Trying rule: 5200 - Ignoring hpiod for producing useless logs.
> Trying rule: 2830 - Crontab rule group.
> Trying rule: 5300 - Initial grouping for su messages.
> Trying rule: 5400 - Initial group for sudo messages
> Trying rule: 9100 - PPTPD messages grouped
> Trying rule: 9200 - Squid syslog messages grouped
> Trying rule: 2900 - Dpkg (Debian Package) log.
> Trying rule: 2930 - Yum logs.
> Trying rule: 2931 - Yum logs.
> Trying rule: 7200 - Grouping of the arpwatch rules.
> Trying rule: 7300 - Grouping of Symantec AV rules.
> Trying rule: 7400 - Grouping of Symantec Web Security rules.
> Trying rule: 4300 - Grouping of PIX rules
> Trying rule: 12100 - Grouping of the named rules
> Trying rule: 13100 - Grouping for the smbd rules.
> Trying rule: 13106 - (null)
> Trying rule: 11400 - Grouping for the vsftpd rules.
> Trying rule: 11300 - Grouping for the pure-ftpd rules.
> Trying rule: 11200 - Grouping for the proftpd rules.
> Trying rule: 11500 - Grouping for the Microsoft ftp rules.
> Trying rule: 11100 - Grouping for the ftpd rules.
> Trying rule: 9300 - Grouping for the Horde imp rules.
> Trying rule: 9400 - Roundcube messages groupe.d
> Trying rule: 9500 - Wordpress messages grouped.
> Trying rule: 9600 - cimserver messages grouped.
> Trying rule: 9900 - Grouping for the vpopmail rules.
> Trying rule: 9800 - Grouping for the vm-pop3d rules.
> Trying rule: 3900 - Grouping for the courier rules.
> Trying rule: 30100 - Apache messages grouped.
> Trying rule: 31300 - Nginx messages grouped.
> Trying rule: 31404 - PHP Warning message.
> Trying rule: 31405 - PHP Fatal error.
> Trying rule: 31406 - PHP Parse error.
> Trying rule: 50100 - MySQL messages grouped.
> Trying rule: 50500 - PostgreSQL messages grouped.
> Trying rule: 4700 - Grouping of Cisco IOS rules.
> Trying rule: 4500 - Grouping for the Netscreen Firewall rules
> Trying rule: 4800 - SonicWall messages grouped.
> Trying rule: 3300 - Grouping of the postfix reject rules.
> Trying rule: 3320 - Grouping of the postfix rules.
> Trying rule: 3390 - Grouping of the clamsmtpd rules.
> Trying rule: 3100 - Grouping of the sendmail rules.
> Trying rule: 3190 - Grouping of the smf-sav sendmail milter rules.
> Trying rule: 3600 - Grouping of the imapd rules.
> Trying rule: 3700 - Grouping of mailscanner rules.
> Trying rule: 9700 - Dovecot Messages Grouped.
> Trying rule: 3800 - Grouping of Exchange rules.
> Trying rule: 14100 - Grouping of racoon rules.
> Trying rule: 14200 - Grouping of Cisco VPN concentrator rules
> Trying rule: 3500 - Grouping for the spamd rules
> Trying rule: 7600 - Grouping of Trend OSCE rules.
> Trying rule: 31200 - Grouping of Zeus rules.
> Trying rule: 6100 - Solaris BSM Auditing messages grouped.
> Trying rule: 19100 - VMWare messages grouped.
> Trying rule: 19101 - VMWare ESX syslog messages grouped.
> Trying rule: 6300 - Grouping for the MS-DHCP rules.
> Trying rule: 6350 - Grouping for the MS-DHCP rules.
> Trying rule: 6200 - Asterisk messages grouped.
> Trying rule: 600 - Active Response Messages Grouped
> Trying rule: 100210 - (null)
> Trying rule: 100460 - (null)
> Trying rule: 100600 - Puppet alerts
> Trying rule: 100825 - (null)
> Trying rule: 100900 - (null)
> Trying rule: 101110 - (null)
> Trying rule: 101400 - (null)
> Trying rule: 101500 - (null)
> Trying rule: 101700 - (null)
> Trying rule: 101800 - (null)
> Trying rule: 101900 - (null)
> Trying rule: 102000 - (null)
> Trying rule: 102100 - (null)
> Trying rule: 102200 - (null)
> Trying rule: 102300 - (null)
> Trying rule: 102500 - (null)
> Trying rule: 102513 - (null)
> Trying rule: 102515 - (null)
> Trying rule: 102517 - (null)
> Trying rule: 102520 - (null)
> Trying rule: 102523 - (null)
> Trying rule: 102527 - (null)
> Trying rule: 102530 - (null)
> Trying rule: 102583 - (null)
> Trying rule: 102593 - OSPF Event
> Trying rule: 102610 - (null)
> Trying rule: 103100 - (null)
> Trying rule: 103200 - (null)
> Trying rule: 40102 - Buffer overflow attack on rpc.statd
> Trying rule: 40103 - Buffer overflow on WU-FTPD versions prior to 2.6
> Trying rule: 40107 - Heap overflow in the Solaris cachefsd service.
> Trying rule: 1003 - Non standard syslog message (size too large).
> Trying rule: 40104 - Possible buffer overflow attempt.
> Trying rule: 40105 - "Null" user changed some information.
> Trying rule: 40106 - Buffer overflow attempt (probably on yppasswd).
> Trying rule: 40109 - Stack overflow attempt or program exiting with
> SEGV (Solaris).
> Trying rule: 101600 - Backend or SAN problem, please check on this
> host ASAP!
> Trying rule: 2301 - Excessive number connections to a service.
> Trying rule: 2502 - User missed the password more than one time
> Trying rule: 101610 - Filesystem read-only
> Trying rule: 102596 - Bad chunk reference count
> Trying rule: 100433 - Unlicensed decider
> Trying rule: 101930 - Storage LUN is offline - Possible issue with SAN
> backend
> Trying rule: 100300 - Expired LDAP passwd for a user.
> Trying rule: 2504 - Illegal root login.
> Trying rule: 7101 - Problems with the tripwire checking
> Trying rule: 5901 - New group added to the system
> Trying rule: 5902 - New user added to the system
> Trying rule: 5904 - Information from the user was changed
> Trying rule: 12110 - Serial number from master is lower than stored.
> Trying rule: 12111 - Unable to perform zone transfer.
> Trying rule: 18128 - Group account added/changed/deleted.
> Trying rule: 1007 - File system full.
> Trying rule: 30200 - Modsecurity alert.
> Trying rule: 100230 - Missing Yum repo
> Trying rule: 100310 - ssh conversation failed
> Trying rule: 100436 - Possible issue with decider process
> Trying rule: 101200 - Issue with alert.pl script
> Trying rule: 101300 - Check on the system, suspicious error
> Trying rule: 101520 - nss_ldap can not contact LDAP server
> Trying rule: 101620 - Backend or SAN problem, please investigate ASAP!
> Trying rule: 102512 - SSL Certificate issue
> Trying rule: 102522 - VPC errors
> Trying rule: 102540 - packet checksum error in input
> Trying rule: 102541 - Post decode processing failed for Config status
> Trying rule: 102542 - Failed to retrieve timer
> Trying rule: 102543 - Failed to delete PMK cache entry
> Trying rule: 102544 - Could not Process 802.11 MAC mgmt Data. Invalid
> toDs/fromDs bit set - packet ignored.
> Trying rule: 102545 - Unable to delete ARP mapping
> Trying rule: 102546 - Received replay error on slot
> Trying rule: 102547 - DHCP Binding service port failed.
> Trying rule: 102548 - Retransmission count exceeded max, ignoring as
> the ethernet is overloaded
> Trying rule: 102551 - list 111 denied tcp
> Trying rule: 102552 - Authentication failed
> Trying rule: 102553 - Failed to process an association request
> Trying rule: 102554 - decrypt: replay check failed
> Trying rule: 102555 - Failed to process an association request
> Trying rule: 102556 - Problem with SSL VPN client connection
> Trying rule: 102557 - station not using WPA or WPA2 on WLAN requiring
> WPA and/or WPA2
> Trying rule: 102558 - Unable to delete username from mobile
> Trying rule: 102559 - Failed to retrive timer.
> Trying rule: 102560 - Could not Register IP Add on MSCB. MSCB still in
> init state.
> *Rule 102560 matched.
>
> **Phase 3: Completed filtering (rules).
> Rule id: '102560'
> Level: '6'
> Description: 'Could not Register IP Add on MSCB. MSCB still in init
> state.'
> **Alert to be generated.
>
> Here is my rule:
> <rule id="102560" level="6">
> <match>%APF-4-REGISTER_IPADD_ON_MSCB_FAILED:</match>
> <description>Could not Register IP Add on MSCB. MSCB still in init
> state.</description>
> </rule>
>
> In my environment, I don't generate any email for level 6 and below. This
> rule is a quick and dirty one, allowing me to log the alert, with no
> generation of email. We use sumologic for log aggregation, it is like
> Splunk. I use OSSEC 2.6 on linux:
> # /apps/ossec/bin/ossec-logtest -h
>
> OSSEC HIDS v2.6 - Trend Micro Inc. ([email protected] <javascript:>)
> http://www.ossec.net
>
> ossec-testrule: -[Vhdt] [-u user] [-g group] [-c config] [-D dir]
> -V Version and license message
> -h This help message
> -d Execute in debug mode
> -t Test configuration
> -f Run in foreground
> -u <user> Run as 'user'
> -g <group> Run as 'group'
> -c <config> Read the 'config' file
> -D <dir> Chroot to 'dir'
>
> I hope it helps.
>
>
> On Tue, Feb 26, 2013 at 12:46 AM, Fredrik <[email protected]<javascript:>
> > wrote:
>
>> Hi Stephane,
>>
>>
>> Thanks for your post! Sorry, my bad - the example I sent was generic and
>> not an exact message from the logs :( Please find a "real" sample below.
>>
>> Feb 26 09:54:19 192.168.x.y Cisco-WAC: *Feb 26 08:38:36.316:
>> %APF-4-REGISTER_IPADD_ON_MSCB_FAILED: apf_foreignap.c:1281 Could not
>> Register IP Add on MSCB. MSCB still in init state. Address:98:03:d8:ae:b2:34
>>
>> ossec-logtest doesn't seem to accept the -f switch (in my install), did
>> you mean -d for debug? Attached the output I got with -d.
>>
>> Best,
>> Fredrik
>>
>> On Tuesday, February 26, 2013 12:07:51 AM UTC+1, srossan wrote:
>>
>>> I don't see how your log is related to rule 1002 (
>>> <if_sid>1002</if_sid>). I suggest you remove this line as well. You can
>>> test your new rule with ossec-logtest -f, it will give you insight on your
>>> rules hierarchy.
>>>
>>> -Stephane
>>>
>>> On Feb 25, 2013 2:56 PM, "Kevin Kelly" <[email protected]> wrote:
>>> >
>>> > I believe the problem is: <srcip>192.168.x.y</srcip>
>>> >
>>> > There is no IP address in the log entry, so the source IP will never
>>> match. Maybe you could use <hostname></hostname> instead?
>>> >
>>> > --
>>> > Kevin Kelly
>>> > Director, Network Technology
>>> > Whitman College
>>> >
>>> > ______________________________**__
>>> > From: "Fredrik" <[email protected]>
>>> > To: [email protected]
>>>
>>> > Sent: Monday, February 25, 2013 1:49:14 AM
>>> > Subject: [ossec-list] Rule creation to supress email alert
>>> >
>>> >
>>> > Hello!
>>> >
>>> > I have read some of the similar posts, but can't seem to get it to
>>> work. I'm trying to stop the following (syslog) message from generating an
>>> alert - while the underlying cause is being dealt with:
>>> >
>>> > Feb 25 09:40:31.464 apf_foreignap.c:1281 APF-4-REGISTER_IPADD_ON_MSCB_
>>> **FAILED: Could not Register IP Add on MSCB. MSCB still in init state.
>>> Address:00:40:96:a7:50:c6
>>> >
>>> > I have added a rule to local_rules.xml:
>>> >
>>> > <!-- This was put in place to silence alerts generated by the Cisco
>>> WAC
>>> > -->
>>> > <rule id="100002" level="2">
>>> > <if_sid>1002</if_sid>
>>> > <srcip>192.168.x.y</srcip>
>>> > <match>%APF-4-REGISTER_IPADD_**ON_MSCB_FAILED: </match>
>>> > <options>no_email_alert</**options>
>>> > </rule>
>>> >
>>> > I have tried different match-strings, with/without ip-address but I
>>> can't seem to get a hit on my custom filter when using the ossec-logtest
>>> binary and the message keeps generating email alerts,
>>> >
>>> > What have I got wrong?!
>>> >
>>> > Fredrik
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@**googlegroups.com.
>>>
>>> > For more options, visit
>>> > https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>
>>> .
>>> >
>>> >
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@**googlegroups.com.
>>>
>>> > For more options, visit
>>> > https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>
>>> .
>>> >
>>> >
>>>
>>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
