I'm wondering.. maybe you can activate archives log (logall option) and check if the alert is working, i mean, if the alert shows on archives we will know that the issue is mail related and no about rules decoding.
2015-11-13 8:40 GMT-08:00 Daniel Bray <dbray...@gmail.com>: > Sorry about that, it is just a simple typo. I didn't want to copy&paste > the actual rule, as it had some semi-private information in it. I copied > and pasted my actual rule 100005 to a test rule 100007, so please just > ignore that. Here is the actual updated test rule I'm trying: > > <rule id="100007" level="0"> > <if_sid>1002</if_sid> > <hostname>testserver</hostname> > <program_name>mip</program_name> > <regex>HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP > segment frame</regex> > <description>Ignore MIP Alerts</description> > </rule> > > Here is the current log entry I'm testing: > Nov 13 16:07:17 testserver mip: : HAEngine : WARNING : 2 : Replay > protection check failed > > And here is the current results: > **Phase 1: Completed pre-decoding. > full event: 'Nov 13 16:07:17 testserver mip: : HAEngine : WARNING > : 2 : Replay protection check failed' > hostname: 'testserver' > program_name: 'mip' > log: ' : HAEngine : WARNING : 2 : Replay protection check > failed' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '100007' > Level: '0' > Description: 'Ignore MIP Alerts' > > > However, the email alerts are still coming in. I'm trying to start some of > this up in debug mode, so I can gather further information. > > > > > On Fri, Nov 13, 2015 at 11:27 AM, dan (ddp) <ddp...@gmail.com> wrote: > >> On Fri, Nov 13, 2015 at 11:16 AM, Pedro S. <snao...@gmail.com> wrote: >> > My confusion was the rule he wrote here has SID 100005 and the logtest >> > result has SID 100007, sorry about that. >> > >> >> You're right, I totally missed that. Now I'm wondering what 100007 is. >> >> > Still i'll try to create a generic rule to make sure OSSEC is loading >> new >> > rules. >> > >> > Anyways if Dan already has tested it, the rule is working, it should be >> your >> > OSSEC is not loading the rule properly. >> > >> > >> > El viernes, 13 de noviembre de 2015, 8:04:05 (UTC-8), dan (ddpbsd) >> escribió: >> >> >> >> On Fri, Nov 13, 2015 at 10:59 AM, Pedro S. <sna...@gmail.com> wrote: >> >> > Hi Daniel, >> >> > >> >> > The alerts you changed to level 0 it isn't the same that you write >> some >> >> > lines before, isn't it? >> >> > You turn to 0 rule SID 100005 but the alert you show us has SID 1002. >> >> > >> >> >> >> The log message used in the ossec-logtest example matches the log >> >> message that is in the alert. The problem is that ossec-logtest shows >> >> that the log message should match rule 100005, but ossec-analysisd is >> >> matching the log message to 1002. >> >> >> >> >> >> > For testing purposes try to deactivate (change to level 0) rule 1002 >> and >> >> > check if it is still generating these alerts. >> >> > >> >> >> >> Don't do this. There's no reason to change that to 0. Even for >> >> testing. I've been using OSSEC for a little while now, and I don't >> >> think that would have ever helped with anything. >> >> >> >> > >> >> > >> >> > >> >> > >> >> > El viernes, 13 de noviembre de 2015, 7:44:37 (UTC-8), Daniel Bray >> >> > escribió: >> >> >> >> >> >> On Friday, November 13, 2015 at 10:33:04 AM UTC-5, Daniel Bray >> wrote: >> >> >>>> >> >> >>>> I'm waiting to see if it generates an alert. >> >> >>> >> >> >>> >> >> >> >> >> >> >> >> >> Nope, issue remains. Very confusing. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send >> >> > an >> >> > email to ossec-list+...@googlegroups.com. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+unsubscr...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/uXdwCE64oRU/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/uXdwCE64oRU/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
