On Thu, Feb 25, 2016 at 1:50 PM, thak <tha.kel...@gmail.com> wrote: > I've seen similar topics, so apologies if this has been answered several > times but I want to make sure I get guidance for the most recent version! > > Loving OSSEC so far having set it up in our environment a few days ago. > However, rule 1002 is particularly chatty given our Apache error logs. > Basically, our application's identity API has a ping function that runs > every 5 seconds to check for an authenticated session. It will do this even > once the user's session has timed out, so long as that browser or tab is > open. We have a lot of customers who time out but don't close the tab > (understandably). So when the ping.json function runs, it generates a few > log entries with the term "error", specifically > https://app-identity.thak.com/idm/error/... > > In our application this is obviously expected, and we can purge error_log > when it gets too big filling with this stuff, but OSSEC is piling up alerts > multiple times per minute, and from our security perspective it's really > just noise. > > Can I set up a local rule to > <match>https://app-identity.thak.com/idm/error/</match> without an email > alert that will trump the default "Unknown problem somewhere in the system" > alert for logs containing "error" terminology? I'm really new to writing > custom rules but it seems like that wouldn't be too difficult, and throwing > that local rules file on our proxies would solve this problem. >
Depending on the actual log, that should work. Add an "<if_sid>1002</if_sid>" to your custom rule to make sure it over rides the 1002 alerts. So something like this: <rule id="9999999" level="0"> <if_sid>1002</if_sid> <match>https://app-identity.thak.com/idm/error/</match> <description>Ignore blah blah</description> </rule> Put that in place and use ossec-logtest to make sure it works. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
