I'm a dummy. I didn't realize there was a <regex> option. I was only using the <match> field.
Thanks Jesus, you're a real life saver. On Wednesday, January 18, 2017 at 12:35:42 PM UTC-5, Jesus Linares wrote: > > Hi Daniel, > > you are right, I forgot to add a regex to the rule. It could be something > like: > > <group name="ignore,"> > > <!-- > Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba > entered promiscuous mode > --> > <rule id="100001" level="0"> > <if_sid>5104</if_sid> > <regex>device veth\S+ entered promiscuous mode</regex> > <description>Ignore rule 5104 for weave.</description> > </rule> > > </group> > > Adapt the regex to the logs generated by weave. Also, you can use > *<match>*. > > > Let me know if it works ;). > Regards. > > > On Wednesday, January 18, 2017 at 6:11:38 PM UTC+1, Daniel B. wrote: >> >> Jesus, thanks for the response. I'm aware of ossec-logtest always showing >> the name of the parent (which confused me until I RTFM). Using >> `ossec-logtest -v` I was able to verify that the decoder was not being hit >> as the rule for that was not being caught. >> >> I did consider inserting an entry into local_rules.xml, but that would >> ignore *all *alerts with sid 5104 (and not just the ones raised by >> weave). I suppose it's better than digging through 10 pages of false >> positives, but I'd like to be able to filter out entries using a regex like >> "\w+ device veth\w+ entered promiscuous mode$" -- but the rules files can't >> use the OS_Regex synatx (can only use OS_Match, which is much simpler). >> >> Any options other than filtering out all entries with rule ID 5104? >> >> I *feel* like I should be able to override the iptables decoder... but >> maybe that's me being optimistic. >> >> On Wednesday, January 18, 2017 at 5:00:47 AM UTC-5, Jesus Linares wrote: >>> >>> Hi Daniel, >>> >>> ossec-logtest always shows the name of the parent. >>> >>> If you want to ignore that alert, just create a rule in local_rules.xml: >>> >>> <group name="ignore,"> >>> >>> >>> <!-- >>> Jan 16 20:46:57 machine_name kernel: [347956.184868] device >>> veth9c8da7ba entered promiscuous mode >>> --> >>> <rule id="100001" level="0"> >>> <if_sid>5104</if_sid> >>> <description>Ignore rule 5104.</description> >>> </rule> >>> >>> >>> </group> >>> >>> Jan 16 20:46:57 machine_name kernel: [347956.184868] device >>> veth9c8da7ba entered promiscuous mode >>> >>> >>> >>> >>> **Phase 1: Completed pre-decoding. >>> full event: 'Jan 16 20:46:57 machine_name kernel: >>> [347956.184868] device veth9c8da7ba entered promiscuous mode' >>> hostname: 'machine_name' >>> program_name: 'kernel' >>> log: '[347956.184868] device veth9c8da7ba entered promiscuous >>> mode' >>> >>> >>> **Phase 2: Completed decoding. >>> decoder: 'kernel' >>> >>> >>> **Phase 3: Completed filtering (rules). >>> Rule id: '100001' >>> Level: '0' >>> Description: 'Ignore rule 5104.' >>> >>> (I changed the name of the decoder from iptables to kernel). >>> >>> I hope it helps. >>> >>> On Tuesday, January 17, 2017 at 8:58:28 PM UTC+1, Daniel B. wrote: >>>> >>>> We use weave which periodically causes a network interface to enter >>>> promiscuous mode to sniff network traffic. This is expected behavior, and >>>> as such, I'm looking to ignore it. >>>> >>>> For reference, the iptables decoder is set at >>>> https://github.com/ossec/ossec-hids/blob/592d681ea07f9a8bf2bedb039ee9493e6fbe3c26/etc/decoder.xml#L1135 >>>> >>>> The log line I'm attempting to ignore looks like: >>>> Jan 16 20:46:57 machine_name kernel: [347956.184868] device >>>> veth9c8da7ba entered promiscuous mode >>>> >>>> Now, this is inserted into my local_decoder.xml file (with an >>>> appropriate local rule): >>>> >>>> >>>> <decoder name="iptables_noweave"> >>>> <parent>iptables</parent> >>>> <prematch offset="after_parent">device (veth\w+) entered promiscuous >>>> mode</prematch> >>>> <program_name>kernel</program_name> >>>> <regex offset="after_prematch"></regex> >>>> <order>extra_data</order> >>>> </decoder> >>>> >>>> >>>> I've tried a lot of different variations on the above, including >>>> getting rid of the parent and prematch offsets (while temporarily deleting >>>> the original / parent iptables rule in >>>> etc/ossec_decoders/kernel-iptables_apparmor_decoders.xml >>>> >>>> >>>> Each time I run the log through ./ossec-logtest, it matches to the >>>> parent decoder, and as such an alert is fired. >>>> >>>> **Phase 1: Completed pre-decoding. >>>> full event: 'Jan 16 20:46:57 machine_name kernel: >>>> [347956.184868] device veth9c8da7ba entered promiscuous mode' >>>> hostname: 'machine_name' >>>> program_name: 'kernel' >>>> log: '[347956.184868] device veth9c8da7ba entered promiscuous >>>> mode' >>>> >>>> **Phase 2: Completed decoding. >>>> decoder: 'iptables' >>>> >>>> **Phase 3: Completed filtering (rules). >>>> Rule id: '5104' >>>> Level: '8' >>>> Description: 'Interface entered in promiscuous(sniffing) mode.' >>>> **Alert to be generated. >>>> >>>> >>>> Is there a way I can override the iptables decoder for this one >>>> specific log message? >>>> >>>> Any help is appreciated, thanks! >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
