In case anyone is interested my testing showed <expect>srcip</expect> is required for white_list to work and prevent active-responses being called if a particular host is responsible.
I have been able to massage ossec.conf too operate as required for my scenario by defining two commands (1 that expects srcip and 1 that doesn't) and then defining active-responses based upon rules_group, rule_ids etc. Thanks for the help and clarifications on <expect>. Glen On Tuesday, February 10, 2015 at 8:13:35 AM UTC+10, Glen Leeder wrote: > > Thanks Dan, > > I've changed my rsyslog format to IP addresses instead of hosts and all is > good. > > Do you know whether the <white_list> directive requires that > <expect>srcip</expect> is specified or will it work without that? > > Glen > > On Monday, February 9, 2015 at 11:08:11 PM UTC+10, dan (ddpbsd) wrote: >> >> On Mon, Feb 9, 2015 at 4:26 AM, Glen Leeder <glen....@gmail.com> wrote: >> > Hi, >> > >> > I using ossec 2.8.1 on Ubuntu 14.04 running locally only, no agents. I >> have >> > the following local_rules.xml defined to exercise syslog monitoring : >> > $ sudo more /var/ossec/rules/local_rules.xml >> > <group name="ossectester,local"> >> > <rule id="100000" level="5"> >> > <match>OSSEC-TESTER-RULE</match> >> > <description>OSSEC Test Alert</description> >> > </rule> >> > </group> >> > >> > When this rule triggers (by running 'logger "OSSEC-TESTER-RULE"), an >> active >> > response is executed due to this ossec.conf: >> > <command> >> > <name>post2slack</name> >> > <executable>ar_slack.sh</executable> >> > <expect></expect> >> > <timeout_allowed>no</timeout_allowed> >> > </command> >> > >> > <active-response> >> > <command>post2slack</command> >> > <location>local</location> >> > <level>4</level> >> > </active-response> >> > >> > This works as expected provided I do not populate the command <expect> >> > field. If I specify <expect>srcip</expect> the alert still triggers, >> > however, the active response is no longer executed. the syslog entry >> ends up >> > as something like: >> > Feb 9 19:19:53 myhostname gleeder: OSSEC-TESTER-RULE >> > >> >> There is no IP in this log message to be decoded, so it makes sense >> that AR won't be triggered if it expects there to be a source ip. >> >> > I can't determine from the documentation whether this should work or >> not. >> > myhostname resolves to 127.0.0.1 but I haven't got any white_list IPs >> > specified anyway (my end goal is a to have some white_listing which is >> why I >> > specified srcip). >> > >> > Is there an implicit white_list default or another reason why >> specifying >> > srcip causes the response to no longer execute? >> > Is <expect>srcip</expect> required for white_list to work? >> > >> > Best regards, >> > Glen >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.