On Sat, Mar 9, 2013 at 9:15 AM, Michael Lubinski <michael.lubin...@gmail.com> wrote: > My rule looks like this: > > <rule id="100030" level="0"> > <if_sid>18149</if_sid> > <srcip>X.X.X.X</srcip> > <description>Ignored from X</description> > </rule> > > I have the inside the default group, <group name="local,syslog,">. Is it > something with that? >
Can you provide a sample? It'd be easier for us to test if we had something to test. I'm wondering if the srcip isn't decoded (you don't see it in Phase 2 when you run the log through ossec-logtest). > > On Fri, Mar 8, 2013 at 1:19 PM, Jb Cheng <jjoob...@gmail.com> wrote: >> >> I tested the ignore local rule by modifying "rules/local_rules.xml" >> The following works as expected -- no more alerts matching rule id 5715 >> and srcIP 10.2.3.4 >> <rule id="100002" level="0"> >> <if_sid>5715</if_sid> >> <srcip>10.2.3.4</srcip> >> <description>Example of rule that will ignore sshd </description> >> <description>failed logins from IP 10.2.3.4.</description> >> </rule> >> >> However, if I remove the <if_sid> line completely, it does not work --- >> alerts from 10.2.3.4 still show up. >> >> Suggest putting <if_sid> in your local_rules.xml and test it again. >> >> On Thursday, March 7, 2013 7:51:04 PM UTC-8, Michael Lubinski wrote: >>> >>> Yeah. So at least i'm not crazy then. Can anyone else confirm this >>> behavior? >>> >>> On Thu, Mar 7, 2013 at 9:48 PM, dan (ddpbsd) <ddp...@gmail.com> wrote: >>>> >>>> >>>> >>>> On Thursday, March 7, 2013 10:43:35 PM UTC-5, Michael Lubinski wrote: >>>>> >>>>> So using srcip in this way wont work? >>>>> >>>> >>>> Your initial email suggests that this does not work. >>>> >>>>> >>>>> On Thu, Mar 7, 2013 at 9:41 PM, dan (ddpbsd) <ddp...@gmail.com> wrote: >>>>>> >>>>>> >>>>>> >>>>>> On Thursday, March 7, 2013 10:32:51 PM UTC-5, Michael Lubinski wrote: >>>>>>> >>>>>>> Sorry i'm new to ossec. >>>>>>> >>>>>>> >>>>>>> I don't want to see logs generated by my scanner so TO and FROM the >>>>>>> scanner IP. How can I tell where the process is breaking down? >>>>>>> >>>>>> >>>>>> Easier said than done. Take each log message you don't want to see and >>>>>> create an ignore rule for it. It's a pain really. >>>>>> >>>>>>> >>>>>>> >>>>>>> On Thu, Mar 7, 2013 at 9:30 PM, dan (ddp) <ddp...@gmail.com> wrote: >>>>>>>> >>>>>>>> On Thu, Mar 7, 2013 at 10:20 PM, Michael Lubinski >>>>>>>> <michael....@gmail.com> wrote: >>>>>>>> > I cannot get a custom rule to work, a simple src or dst IP rule. >>>>>>>> > Whenever I >>>>>>>> > try to add srcip to a rule its like the rule doesn't work. Here is >>>>>>>> > an >>>>>>>> > example >>>>>>>> > >>>>>>>> > <rule id="100031" level="0"> >>>>>>>> > <srcip>x.x.x.x</srcip> >>>>>>>> > <description>Ignoring traffic</description> >>>>>>>> > </rule> >>>>>>>> > >>>>>>>> > >>>>>>>> >>>>>>>> What is the ultimate goal? Is srcip being decoded properly? What log >>>>>>>> message is getting through that you don't want to see? Why do I have >>>>>>>> to ask you to provide this information? >>>>>>>> >>>>>>>> > -- >>>>>>>> > >>>>>>>> > --- >>>>>>>> > You received this message because you are subscribed to the Google >>>>>>>> > Groups >>>>>>>> > "ossec-list" group. >>>>>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>>>>> > send an >>>>>>>> > email to ossec-list+...@googlegroups.com. >>>>>>>> >>>>>>>> > For more options, visit https://groups.google.com/groups/opt_out. >>>>>>>> > >>>>>>>> > >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "ossec-list" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to ossec-list+...@googlegroups.com. >>>>>>>> >>>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>>>> >>>>>>>> >>>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>>> an email to ossec-list+...@googlegroups.com. >>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>> >>>>>> >>>>> >>>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ossec-list+...@googlegroups.com. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>>> >>> >>> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.