Yes, below is the rule and output for test - RULE : <rule id="800001" level="0"> <status>DENIED</status> <if_sid>1002</if_sid> <match>profile="docker-default"</match> <description>IGNORE RULE</description> </rule>
TEST : root@ossec-cloud:/var/ossec/bin# ./ossec-logtest 2016/03/30 10:00:39 ossec-testrule: INFO: Reading local decoder file. 2016/03/30 10:00:39 ossec-testrule: INFO: Started (pid: 6909). ossec-testrule: Type one log per line. Mar 30 09:00:02 cm0-cloud kernel: [956066.205797] type=1400 audit(1459328402.269:67693): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=9526 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined" **Phase 1: Completed pre-decoding. full event: 'Mar 30 09:00:02 cm0-cloud kernel: [956066.205797] type=1400 audit(1459328402.269:67693): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=9526 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"' hostname: 'cm0-cloud' program_name: 'kernel' log: '[956066.205797] type=1400 audit(1459328402.269:67693): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=9526 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"' **Phase 2: Completed decoding. decoder: 'iptables' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated. On Wed, Mar 30, 2016 at 12:00 PM, Pedro S <pe...@wazuh.com> wrote: > Did you run ossec-logtest to verify that your log triggers the rule just > created? > > Try to run it and paste the log, if the rule 800001 is not being fired > something went wrong with the rule creation. > > On Wednesday, March 30, 2016 at 8:10:39 AM UTC+2, sandeep wrote: >> >> Hi Dan, >> >> Thanks for the detailed step and rule. I tried the same and still getting >> alert. >> On 29-Mar-2016 9:07 PM, "dan (ddp)" <ddp...@gmail.com> wrote: >> >>> On Tue, Mar 29, 2016 at 11:29 AM, sandeep dubey >>> <sandeep...@gmail.com> wrote: >>> > Hi, >>> > >>> > I am getting this alert form all the hosts - >>> > >>> > Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400 >>> > audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace" >>> > profile="docker-default" pid=21882 comm="ps" requested_mask="trace" >>> > denied_mask="trace" peer="unconfined" >>> > >>> > to disable this alerts i have written this - >>> > <rule id="1000500" level="7"> >>> > <options>no_email_alert</options> >>> > <match>apparmor="DENIED" profile="docker-default"</match> >>> > <description>IGNORED RULE</description> >>> > </rule> >>> > >>> > and restarted the ossec master service, still getting same alert >>> > what am i missing here ? >>> > >>> >>> The first step is to run the log message through ossec-logtest: >>> ossec-testrule: Type one log per line. >>> **Phase 1: Completed pre-decoding. >>> full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608] >>> type=1400 audit(1459258202.301:67688): apparmor="DENIED" >>> operation="ptrace" profile="docker-default" pid=21882 comm="ps" >>> requested_mask="trace" denied_mask="trace" peer="unconfined"' >>> hostname: 'cmcloud' >>> program_name: 'kernel' >>> log: '[885866.238608] type=1400 audit(1459258202.301:67688): >>> apparmor="DENIED" operation="ptrace" profile="docker-default" >>> pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" >>> peer="unconfined"' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'iptables' >>> status: 'DENIED' >>> extra_data: 'ptrace' >>> >>> **Phase 3: Completed filtering (rules). >>> Rule id: '52002' >>> Level: '3' >>> Description: 'Apparmor DENIED' >>> **Alert to be generated. >>> >>> >>> So the log message is currently triggering rule 52002. We'll use this >>> in our rule. >>> The status is DENIED, which can also be useful. >>> So we'll write a basic rule that tries to match on these: >>> >>> <rule id="800001" level="0"> >>> <status>DENIED</status> >>> <match>profile="docker-default"</match> >>> <description>IGNORE RULE</description> >>> </rule> >>> >>> I add this to /var/ossec/rules/local_rules.xml. I set the level to 0 >>> because I don't care about it. >>> Then I rerun ossec-logtest: >>> ossec-testrule: Type one log per line. >>> **Phase 1: Completed pre-decoding. >>> full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608] >>> type=1400 audit(1459258202.301:67688): apparmor="DENIED" >>> operation="ptrace" profile="docker-default" pid=21882 comm="ps" >>> requested_mask="trace" denied_mask="trace" peer="unconfined"' >>> hostname: 'cmcloud' >>> program_name: 'kernel' >>> log: '[885866.238608] type=1400 audit(1459258202.301:67688): >>> apparmor="DENIED" operation="ptrace" profile="docker-default" >>> pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" >>> peer="unconfined"' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'iptables' >>> status: 'DENIED' >>> extra_data: 'ptrace' >>> >>> **Phase 3: Completed filtering (rules). >>> Rule id: '800001' >>> Level: '0' >>> Description: 'IGNORE RULE' >>> >>> With the custom rule in place the log message is adequately ignored. >>> >>> > -- >>> > Regards, >>> > Sandeep >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Regards, Sandeep -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.