On Tue, Jan 17, 2017 at 2:53 PM, Daniel B. <daniel.bald...@pokitdok.com> wrote: > We use weave which periodically causes a network interface to enter > promiscuous mode to sniff network traffic. This is expected behavior, and as > such, I'm looking to ignore it. > > For reference, the iptables decoder is set at > https://github.com/ossec/ossec-hids/blob/592d681ea07f9a8bf2bedb039ee9493e6fbe3c26/etc/decoder.xml#L1135 > > The log line I'm attempting to ignore looks like: > Jan 16 20:46:57 machine_name kernel: [347956.184868] device veth9c8da7ba > entered promiscuous mode > > Now, this is inserted into my local_decoder.xml file (with an appropriate > local rule): > > > <decoder name="iptables_noweave"> > <parent>iptables</parent> > <prematch offset="after_parent">device (veth\w+) entered promiscuous > mode</prematch> > <program_name>kernel</program_name> > <regex offset="after_prematch"></regex> > <order>extra_data</order> > </decoder> >
I know this is solved, but here's a decoder to do what the above is attempting to do (I'm not sure about regex in the prematch field): <decoder name="promisc"> <parent>iptables</parent> <prematch>promiscuous mode$</prematch> <regex>device (\S+) entered</regex> <order>extra_data</order> </decoder> > > I've tried a lot of different variations on the above, including getting rid > of the parent and prematch offsets (while temporarily deleting the original > / parent iptables rule in > etc/ossec_decoders/kernel-iptables_apparmor_decoders.xml > > > Each time I run the log through ./ossec-logtest, it matches to the parent > decoder, and as such an alert is fired. > > **Phase 1: Completed pre-decoding. > full event: 'Jan 16 20:46:57 machine_name kernel: [347956.184868] > device veth9c8da7ba entered promiscuous mode' > hostname: 'machine_name' > program_name: 'kernel' > log: '[347956.184868] device veth9c8da7ba entered promiscuous mode' > > **Phase 2: Completed decoding. > decoder: 'iptables' > > **Phase 3: Completed filtering (rules). > Rule id: '5104' > Level: '8' > Description: 'Interface entered in promiscuous(sniffing) mode.' > **Alert to be generated. > > > Is there a way I can override the iptables decoder for this one specific log > message? > > Any help is appreciated, thanks! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.