Hi Daniel, not sure if that matters but is your local rule in the same <group name= "syslog,errors,">, as rule 1002 is? You sure you restarted the manger right?
Best On Thu, Nov 12, 2015 at 7:06 AM, Daniel Bray <dbray...@gmail.com> wrote: > I'm running ossec-hids-server-2.8.2-49.el6.art.x86_64 (Atomic repo) > > I've updated /var/ossec/rules/local_rules.xml with the following rule: > > <rule id="100005" level="0"> > <if_sid>1002</if_sid> > <hostname>testserver1|testserver2</hostname> > <program_name>mip</program_name> > <regex>HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP > segment frame</regex> > <description>Ignore MIP Alerts</description> > </rule> > > > I've tested the rule with: > ossec-testrule: Type one log per line. > > Nov 12 13:48:50 testserver1 mip: : HAEngine : WARNING : 2 : Replay > protection check failed > > > **Phase 1: Completed pre-decoding. > full event: 'Nov 12 13:48:50 testserver1 mip: : HAEngine : WARNING > : 2 : Replay protection check failed ' > hostname: 'testserver1' > program_name: 'mip' > log: ' : HAEngine : WARNING : 2 : Replay protection check > failed ' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '100007' > Level: '0' > Description: 'Ignore MIP Alerts' > > > > I've restarted everything, but the servers are still generating alerts: > > OSSEC HIDS Notification. > 2015 Nov 12 14:58:37 > > Received From: (testserver1) > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Nov 12 14:58:36 testserver1 mip: : HAEngine : WARNING : 2 : Replay > protection check failed > > --END OF NOTIFICATION > > > > Can anybody shed some light on what's going on, or what I should try next? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
