Hi, check this out: https://groups.google.com/forum/#!topic/ossec-list/USAF6jF8yk8
Regards. On Wednesday, April 5, 2017 at 10:45:52 PM UTC+2, Rob Williams wrote: > > I stopped them all (which appeared to work fine) and start again. Here is > the rule and decoder I made for this (I want to alert only once if the same > ID (filepath) has alerted in the past minute): > > <rule id="80100" level="7" frequency="2" timeframe="60" ignore="120"> > > <if_matched_sid>510</if_matched_sid> > > <same_id /> > > <description>This is meant to reduce noise as these events happen in > batches with not much difference in meaning.</description> > > </rule> > > > DECODER: > > > <decoder name="sample_decoder_setup"> > > <prematch>^(\.+) (\p/filepath\.+) </prematch> > > <regex>(/filepath/\.+/mnt/\.+/)</regex> > > <order>id</order> > > </decoder> > > > Logtest returns the id I am looking for to match and that part works fine. > It only gets to the first 2 steps though, and does not match it with a rule > in logtest. > On Wednesday, April 5, 2017 at 12:48:21 PM UTC-7, dan (ddpbsd) wrote: >> >> On Wed, Apr 5, 2017 at 3:44 PM, Rob Williams <[email protected]> >> wrote: >> > Yes I have, I've also tried to disable all the relevant changes I've >> made, >> > restart, and still have the same issue. >> > >> >> Try stopping the ossec processes, verify that ossec-analysisd has >> stopped (sometimes it doesn't and causes issues), and start it back >> up. >> Can you also post the changes you made? >> >> > On Wednesday, April 5, 2017 at 12:39:42 PM UTC-7, dan (ddpbsd) wrote: >> >> >> >> On Wed, Apr 5, 2017 at 3:26 PM, Rob Williams <[email protected]> >> wrote: >> >> > Hi all, >> >> > >> >> > I'm running into an issue where rule 510 is triggering and I'm >> getting >> >> > spammed with alerts but I can't seem to tune it correctly. What's >> weird >> >> > is >> >> > that I am still getting alerted for rule 510 for this log, but I >> can't >> >> > figure out how to get that to show in logtest. Basically, I am >> getting >> >> > spammed with rule 510 and trying to filter it down more and here is >> what >> >> > happens when I enter the log in logtest: .... any ideas on how to >> fix >> >> > this? >> >> > >> >> > **Phase 1: Completed pre-decoding. >> >> > >> >> > full event: 'File '/filepath/' is owned by root and has >> written >> >> > permissions to anyone.' >> >> > >> >> > hostname: 'hostname' >> >> > >> >> > program_name: '(null)' >> >> > >> >> > log: 'File '/filepath/' is owned by root and has written >> >> > permissions >> >> > to anyone.' >> >> > >> >> > >> >> > **Phase 2: Completed decoding. >> >> > >> >> > decoder: 'sample_decoder_setup' >> >> > >> >> > id: '/filepath/' >> >> > >> >> >> >> Did you restart the OSSEC processes on the server after making your >> >> modifications? >> >> >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
