Yes, below is the rule and output for test -
RULE :
<rule id="800001" level="0">
<status>DENIED</status>
<if_sid>1002</if_sid>
<match>profile="docker-default"</match>
<description>IGNORE RULE</description>
</rule>
TEST :
root@ossec-cloud:/var/ossec/bin# ./ossec-logtest
2016/03/30 10:00:39 ossec-testrule: INFO: Reading local decoder file.
2016/03/30 10:00:39 ossec-testrule: INFO: Started (pid: 6909).
ossec-testrule: Type one log per line.
Mar 30 09:00:02 cm0-cloud kernel: [956066.205797] type=1400
audit(1459328402.269:67693): apparmor="DENIED" operation="ptrace"
profile="docker-default" pid=9526 comm="ps" requested_mask="trace"
denied_mask="trace" peer="unconfined"
**Phase 1: Completed pre-decoding.
full event: 'Mar 30 09:00:02 cm0-cloud kernel: [956066.205797]
type=1400 audit(1459328402.269:67693): apparmor="DENIED" operation="ptrace"
profile="docker-default" pid=9526 comm="ps" requested_mask="trace"
denied_mask="trace" peer="unconfined"'
hostname: 'cm0-cloud'
program_name: 'kernel'
log: '[956066.205797] type=1400 audit(1459328402.269:67693):
apparmor="DENIED" operation="ptrace" profile="docker-default" pid=9526
comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"'
**Phase 2: Completed decoding.
decoder: 'iptables'
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
On Wed, Mar 30, 2016 at 12:00 PM, Pedro S <pe...@wazuh.com> wrote:
> Did you run ossec-logtest to verify that your log triggers the rule just
> created?
>
> Try to run it and paste the log, if the rule 800001 is not being fired
> something went wrong with the rule creation.
>
> On Wednesday, March 30, 2016 at 8:10:39 AM UTC+2, sandeep wrote:
>>
>> Hi Dan,
>>
>> Thanks for the detailed step and rule. I tried the same and still getting
>> alert.
>> On 29-Mar-2016 9:07 PM, "dan (ddp)" <ddp...@gmail.com> wrote:
>>
>>> On Tue, Mar 29, 2016 at 11:29 AM, sandeep dubey
>>> <sandeep...@gmail.com> wrote:
>>> > Hi,
>>> >
>>> > I am getting this alert form all the hosts -
>>> >
>>> > Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400
>>> > audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace"
>>> > profile="docker-default" pid=21882 comm="ps" requested_mask="trace"
>>> > denied_mask="trace" peer="unconfined"
>>> >
>>> > to disable this alerts i have written this -
>>> > <rule id="1000500" level="7">
>>> > <options>no_email_alert</options>
>>> > <match>apparmor="DENIED" profile="docker-default"</match>
>>> > <description>IGNORED RULE</description>
>>> > </rule>
>>> >
>>> > and restarted the ossec master service, still getting same alert
>>> > what am i missing here ?
>>> >
>>>
>>> The first step is to run the log message through ossec-logtest:
>>> ossec-testrule: Type one log per line.
>>> **Phase 1: Completed pre-decoding.
>>> full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608]
>>> type=1400 audit(1459258202.301:67688): apparmor="DENIED"
>>> operation="ptrace" profile="docker-default" pid=21882 comm="ps"
>>> requested_mask="trace" denied_mask="trace" peer="unconfined"'
>>> hostname: 'cmcloud'
>>> program_name: 'kernel'
>>> log: '[885866.238608] type=1400 audit(1459258202.301:67688):
>>> apparmor="DENIED" operation="ptrace" profile="docker-default"
>>> pid=21882 comm="ps" requested_mask="trace" denied_mask="trace"
>>> peer="unconfined"'
>>>
>>> **Phase 2: Completed decoding.
>>> decoder: 'iptables'
>>> status: 'DENIED'
>>> extra_data: 'ptrace'
>>>
>>> **Phase 3: Completed filtering (rules).
>>> Rule id: '52002'
>>> Level: '3'
>>> Description: 'Apparmor DENIED'
>>> **Alert to be generated.
>>>
>>>
>>> So the log message is currently triggering rule 52002. We'll use this
>>> in our rule.
>>> The status is DENIED, which can also be useful.
>>> So we'll write a basic rule that tries to match on these:
>>>
>>> <rule id="800001" level="0">
>>> <status>DENIED</status>
>>> <match>profile="docker-default"</match>
>>> <description>IGNORE RULE</description>
>>> </rule>
>>>
>>> I add this to /var/ossec/rules/local_rules.xml. I set the level to 0
>>> because I don't care about it.
>>> Then I rerun ossec-logtest:
>>> ossec-testrule: Type one log per line.
>>> **Phase 1: Completed pre-decoding.
>>> full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608]
>>> type=1400 audit(1459258202.301:67688): apparmor="DENIED"
>>> operation="ptrace" profile="docker-default" pid=21882 comm="ps"
>>> requested_mask="trace" denied_mask="trace" peer="unconfined"'
>>> hostname: 'cmcloud'
>>> program_name: 'kernel'
>>> log: '[885866.238608] type=1400 audit(1459258202.301:67688):
>>> apparmor="DENIED" operation="ptrace" profile="docker-default"
>>> pid=21882 comm="ps" requested_mask="trace" denied_mask="trace"
>>> peer="unconfined"'
>>>
>>> **Phase 2: Completed decoding.
>>> decoder: 'iptables'
>>> status: 'DENIED'
>>> extra_data: 'ptrace'
>>>
>>> **Phase 3: Completed filtering (rules).
>>> Rule id: '800001'
>>> Level: '0'
>>> Description: 'IGNORE RULE'
>>>
>>> With the custom rule in place the log message is adequately ignored.
>>>
>>> > --
>>> > Regards,
>>> > Sandeep
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send
>>> an
>>> > email to ossec-list+...@googlegroups.com.
>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
Regards,
Sandeep
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
