Hi Daniel,
ossec-logtest always shows the name of the parent.
If you want to ignore that alert, just create a rule in local_rules.xml:
<group name="ignore,">
<!--
Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba
entered promiscuous mode
-->
<rule id="100001" level="0">
<if_sid>5104</if_sid>
<description>Ignore rule 5104.</description>
</rule>
</group>
Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba
entered promiscuous mode
**Phase 1: Completed pre-decoding.
full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868]
device veth9c8da7ba entered promiscuous mode'
hostname: 'machine_name'
program_name: 'kernel'
log: '[347956.184868] device veth9c8da7ba entered promiscuous mode'
**Phase 2: Completed decoding.
decoder: 'kernel'
**Phase 3: Completed filtering (rules).
Rule id: '100001'
Level: '0'
Description: 'Ignore rule 5104.'
(I changed the name of the decoder from iptables to kernel).
I hope it helps.
On Tuesday, January 17, 2017 at 8:58:28 PM UTC+1, Daniel B. wrote:
>
> We use weave which periodically causes a network interface to enter
> promiscuous mode to sniff network traffic. This is expected behavior, and
> as such, I'm looking to ignore it.
>
> For reference, the iptables decoder is set at
> https://github.com/ossec/ossec-hids/blob/592d681ea07f9a8bf2bedb039ee9493e6fbe3c26/etc/decoder.xml#L1135
>
> The log line I'm attempting to ignore looks like:
> Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba
> entered promiscuous mode
>
> Now, this is inserted into my local_decoder.xml file (with an appropriate
> local rule):
>
>
> <decoder name="iptables_noweave">
> <parent>iptables</parent>
> <prematch offset="after_parent">device (veth\w+) entered promiscuous
> mode</prematch>
> <program_name>kernel</program_name>
> <regex offset="after_prematch"></regex>
> <order>extra_data</order>
> </decoder>
>
>
> I've tried a lot of different variations on the above, including getting
> rid of the parent and prematch offsets (while temporarily deleting the
> original / parent iptables rule in
> etc/ossec_decoders/kernel-iptables_apparmor_decoders.xml
>
>
> Each time I run the log through ./ossec-logtest, it matches to the parent
> decoder, and as such an alert is fired.
>
> **Phase 1: Completed pre-decoding.
> full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868]
> device veth9c8da7ba entered promiscuous mode'
> hostname: 'machine_name'
> program_name: 'kernel'
> log: '[347956.184868] device veth9c8da7ba entered promiscuous mode'
>
> **Phase 2: Completed decoding.
> decoder: 'iptables'
>
> **Phase 3: Completed filtering (rules).
> Rule id: '5104'
> Level: '8'
> Description: 'Interface entered in promiscuous(sniffing) mode.'
> **Alert to be generated.
>
>
> Is there a way I can override the iptables decoder for this one specific
> log message?
>
> Any help is appreciated, thanks!
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
