We use weave which periodically causes a network interface to enter promiscuous mode to sniff network traffic. This is expected behavior, and as such, I'm looking to ignore it.
For reference, the iptables decoder is set at https://github.com/ossec/ossec-hids/blob/592d681ea07f9a8bf2bedb039ee9493e6fbe3c26/etc/decoder.xml#L1135 The log line I'm attempting to ignore looks like: Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba entered promiscuous mode Now, this is inserted into my local_decoder.xml file (with an appropriate local rule): <decoder name="iptables_noweave"> <parent>iptables</parent> <prematch offset="after_parent">device (veth\w+) entered promiscuous mode</prematch> <program_name>kernel</program_name> <regex offset="after_prematch"></regex> <order>extra_data</order> </decoder> I've tried a lot of different variations on the above, including getting rid of the parent and prematch offsets (while temporarily deleting the original / parent iptables rule in etc/ossec_decoders/kernel-iptables_apparmor_decoders.xml Each time I run the log through ./ossec-logtest, it matches to the parent decoder, and as such an alert is fired. **Phase 1: Completed pre-decoding. full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba entered promiscuous mode' hostname: 'machine_name' program_name: 'kernel' log: '[347956.184868] device veth9c8da7ba entered promiscuous mode' **Phase 2: Completed decoding. decoder: 'iptables' **Phase 3: Completed filtering (rules). Rule id: '5104' Level: '8' Description: 'Interface entered in promiscuous(sniffing) mode.' **Alert to be generated. Is there a way I can override the iptables decoder for this one specific log message? Any help is appreciated, thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
