Hi Daniel, ossec-logtest always shows the name of the parent.
If you want to ignore that alert, just create a rule in local_rules.xml: <group name="ignore,"> <!-- Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba entered promiscuous mode --> <rule id="100001" level="0"> <if_sid>5104</if_sid> <description>Ignore rule 5104.</description> </rule> </group> Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba entered promiscuous mode **Phase 1: Completed pre-decoding. full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba entered promiscuous mode' hostname: 'machine_name' program_name: 'kernel' log: '[347956.184868] device veth9c8da7ba entered promiscuous mode' **Phase 2: Completed decoding. decoder: 'kernel' **Phase 3: Completed filtering (rules). Rule id: '100001' Level: '0' Description: 'Ignore rule 5104.' (I changed the name of the decoder from iptables to kernel). I hope it helps. On Tuesday, January 17, 2017 at 8:58:28 PM UTC+1, Daniel B. wrote: > > We use weave which periodically causes a network interface to enter > promiscuous mode to sniff network traffic. This is expected behavior, and > as such, I'm looking to ignore it. > > For reference, the iptables decoder is set at > https://github.com/ossec/ossec-hids/blob/592d681ea07f9a8bf2bedb039ee9493e6fbe3c26/etc/decoder.xml#L1135 > > The log line I'm attempting to ignore looks like: > Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba > entered promiscuous mode > > Now, this is inserted into my local_decoder.xml file (with an appropriate > local rule): > > > <decoder name="iptables_noweave"> > <parent>iptables</parent> > <prematch offset="after_parent">device (veth\w+) entered promiscuous > mode</prematch> > <program_name>kernel</program_name> > <regex offset="after_prematch"></regex> > <order>extra_data</order> > </decoder> > > > I've tried a lot of different variations on the above, including getting > rid of the parent and prematch offsets (while temporarily deleting the > original / parent iptables rule in > etc/ossec_decoders/kernel-iptables_apparmor_decoders.xml > > > Each time I run the log through ./ossec-logtest, it matches to the parent > decoder, and as such an alert is fired. > > **Phase 1: Completed pre-decoding. > full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868] > device veth9c8da7ba entered promiscuous mode' > hostname: 'machine_name' > program_name: 'kernel' > log: '[347956.184868] device veth9c8da7ba entered promiscuous mode' > > **Phase 2: Completed decoding. > decoder: 'iptables' > > **Phase 3: Completed filtering (rules). > Rule id: '5104' > Level: '8' > Description: 'Interface entered in promiscuous(sniffing) mode.' > **Alert to be generated. > > > Is there a way I can override the iptables decoder for this one specific > log message? > > Any help is appreciated, thanks! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.