Re: [ossec-list] How to ignore log ?
On Wed, Mar 30, 2016 at 6:00 AM, sandeep dubey wrote: > Yes, below is the rule and output for test - > > RULE : > > DENIED > 1002 > profile="docker-default" > IGNORE RULE > > > TEST : > root@ossec-cloud:/var/ossec/bin# ./ossec-logtest > 2016/03/30 10:00:39 ossec-testrule: INFO: Reading local decoder file. > 2016/03/30 10:00:39 ossec-testrule: INFO: Started (pid: 6909). > ossec-testrule: Type one log per line. > > Mar 30 09:00:02 cm0-cloud kernel: [956066.205797] type=1400 > audit(1459328402.269:67693): apparmor="DENIED" operation="ptrace" > profile="docker-default" pid=9526 comm="ps" requested_mask="trace" > denied_mask="trace" peer="unconfined" > > **Phase 1: Completed pre-decoding. >full event: 'Mar 30 09:00:02 cm0-cloud kernel: [956066.205797] > type=1400 audit(1459328402.269:67693): apparmor="DENIED" operation="ptrace" > profile="docker-default" pid=9526 comm="ps" requested_mask="trace" > denied_mask="trace" peer="unconfined"' >hostname: 'cm0-cloud' >program_name: 'kernel' >log: '[956066.205797] type=1400 audit(1459328402.269:67693): > apparmor="DENIED" operation="ptrace" profile="docker-default" pid=9526 > comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"' > > **Phase 2: Completed decoding. >decoder: 'iptables' > > **Phase 3: Completed filtering (rules). >Rule id: '1002' >Level: '2' >Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > It looks like you didn't update the rule I posted. Here's my original output from ossec-logtest: **Phase 1: Completed pre-decoding. full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400 audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"' hostname: 'cmcloud' program_name: 'kernel' log: '[885866.238608] type=1400 audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"' **Phase 2: Completed decoding. decoder: 'iptables' status: 'DENIED' extra_data: 'ptrace' **Phase 3: Completed filtering (rules). Rule id: '52002' Level: '3' Description: 'Apparmor DENIED' **Alert to be generated. Notice how Phase 2 and Phase 3 are different from what you got? You have to modify the rule I posted to fit your environment. I noticed your original rule also had: apparmor="DENIED" profile="docker-default" Which shows up exactly zero times in the log message (The log has 'operation="ptrace"' in between). So it's entirely possible fixing that paste-o could solve the issue. I'm going to use 2 rules to take care of this because the parts of the log message you want to match on have stuff you don't care about in between. Maybe something like (untested in your environment): 1002 iptables apparmor="DENIED" IGNORE RULE 82 profile="docker-default" still ignoring You'll again have to test these, and if they don't work try to see if you can figure out why. > > On Wed, Mar 30, 2016 at 12:00 PM, Pedro S wrote: >> >> Did you run ossec-logtest to verify that your log triggers the rule just >> created? >> >> Try to run it and paste the log, if the rule 81 is not being fired >> something went wrong with the rule creation. >> >> On Wednesday, March 30, 2016 at 8:10:39 AM UTC+2, sandeep wrote: >>> >>> Hi Dan, >>> >>> Thanks for the detailed step and rule. I tried the same and still getting >>> alert. >>> >>> On 29-Mar-2016 9:07 PM, "dan (ddp)" wrote: On Tue, Mar 29, 2016 at 11:29 AM, sandeep dubey wrote: > Hi, > > I am getting this alert form all the hosts - > > Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400 > audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace" > profile="docker-default" pid=21882 comm="ps" requested_mask="trace" > denied_mask="trace" peer="unconfined" > > to disable this alerts i have written this - > > no_email_alert > apparmor="DENIED" profile="docker-default" > IGNORED RULE > > > and restarted the ossec master service, still getting same alert > what am i missing here ? > The first step is to run the log message through ossec-logtest: ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400 audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"' hostname: 'cmcloud' program_name: 'kernel' log: '[885866.238608] type=1400 audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace" prof
Re: [ossec-list] How to ignore log ?
Yes, below is the rule and output for test - RULE : DENIED 1002 profile="docker-default" IGNORE RULE TEST : root@ossec-cloud:/var/ossec/bin# ./ossec-logtest 2016/03/30 10:00:39 ossec-testrule: INFO: Reading local decoder file. 2016/03/30 10:00:39 ossec-testrule: INFO: Started (pid: 6909). ossec-testrule: Type one log per line. Mar 30 09:00:02 cm0-cloud kernel: [956066.205797] type=1400 audit(1459328402.269:67693): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=9526 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined" **Phase 1: Completed pre-decoding. full event: 'Mar 30 09:00:02 cm0-cloud kernel: [956066.205797] type=1400 audit(1459328402.269:67693): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=9526 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"' hostname: 'cm0-cloud' program_name: 'kernel' log: '[956066.205797] type=1400 audit(1459328402.269:67693): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=9526 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"' **Phase 2: Completed decoding. decoder: 'iptables' **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated. On Wed, Mar 30, 2016 at 12:00 PM, Pedro S wrote: > Did you run ossec-logtest to verify that your log triggers the rule just > created? > > Try to run it and paste the log, if the rule 81 is not being fired > something went wrong with the rule creation. > > On Wednesday, March 30, 2016 at 8:10:39 AM UTC+2, sandeep wrote: >> >> Hi Dan, >> >> Thanks for the detailed step and rule. I tried the same and still getting >> alert. >> On 29-Mar-2016 9:07 PM, "dan (ddp)" wrote: >> >>> On Tue, Mar 29, 2016 at 11:29 AM, sandeep dubey >>> wrote: >>> > Hi, >>> > >>> > I am getting this alert form all the hosts - >>> > >>> > Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400 >>> > audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace" >>> > profile="docker-default" pid=21882 comm="ps" requested_mask="trace" >>> > denied_mask="trace" peer="unconfined" >>> > >>> > to disable this alerts i have written this - >>> > >>> > no_email_alert >>> > apparmor="DENIED" profile="docker-default" >>> > IGNORED RULE >>> > >>> > >>> > and restarted the ossec master service, still getting same alert >>> > what am i missing here ? >>> > >>> >>> The first step is to run the log message through ossec-logtest: >>> ossec-testrule: Type one log per line. >>> **Phase 1: Completed pre-decoding. >>>full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608] >>> type=1400 audit(1459258202.301:67688): apparmor="DENIED" >>> operation="ptrace" profile="docker-default" pid=21882 comm="ps" >>> requested_mask="trace" denied_mask="trace" peer="unconfined"' >>>hostname: 'cmcloud' >>>program_name: 'kernel' >>>log: '[885866.238608] type=1400 audit(1459258202.301:67688): >>> apparmor="DENIED" operation="ptrace" profile="docker-default" >>> pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" >>> peer="unconfined"' >>> >>> **Phase 2: Completed decoding. >>>decoder: 'iptables' >>>status: 'DENIED' >>>extra_data: 'ptrace' >>> >>> **Phase 3: Completed filtering (rules). >>>Rule id: '52002' >>>Level: '3' >>>Description: 'Apparmor DENIED' >>> **Alert to be generated. >>> >>> >>> So the log message is currently triggering rule 52002. We'll use this >>> in our rule. >>> The status is DENIED, which can also be useful. >>> So we'll write a basic rule that tries to match on these: >>> >>> >>> DENIED >>> profile="docker-default" >>> IGNORE RULE >>> >>> >>> I add this to /var/ossec/rules/local_rules.xml. I set the level to 0 >>> because I don't care about it. >>> Then I rerun ossec-logtest: >>> ossec-testrule: Type one log per line. >>> **Phase 1: Completed pre-decoding. >>>full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608] >>> type=1400 audit(1459258202.301:67688): apparmor="DENIED" >>> operation="ptrace" profile="docker-default" pid=21882 comm="ps" >>> requested_mask="trace" denied_mask="trace" peer="unconfined"' >>>hostname: 'cmcloud' >>>program_name: 'kernel' >>>log: '[885866.238608] type=1400 audit(1459258202.301:67688): >>> apparmor="DENIED" operation="ptrace" profile="docker-default" >>> pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" >>> peer="unconfined"' >>> >>> **Phase 2: Completed decoding. >>>decoder: 'iptables' >>>status: 'DENIED' >>>extra_data: 'ptrace' >>> >>> **Phase 3: Completed filtering (rules). >>>Rule id: '81' >>>Level: '0' >>>Description: 'IGNORE RULE' >>> >>> With the custom rule in place the log message is adequately ignored. >>> >>> > -- >>> > Regards, >>> > Sandeep >>> > >>> > --
Re: [ossec-list] How to ignore log ?
Did you run ossec-logtest to verify that your log triggers the rule just created? Try to run it and paste the log, if the rule 81 is not being fired something went wrong with the rule creation. On Wednesday, March 30, 2016 at 8:10:39 AM UTC+2, sandeep wrote: > > Hi Dan, > > Thanks for the detailed step and rule. I tried the same and still getting > alert. > On 29-Mar-2016 9:07 PM, "dan (ddp)" > > wrote: > >> On Tue, Mar 29, 2016 at 11:29 AM, sandeep dubey >> > wrote: >> > Hi, >> > >> > I am getting this alert form all the hosts - >> > >> > Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400 >> > audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace" >> > profile="docker-default" pid=21882 comm="ps" requested_mask="trace" >> > denied_mask="trace" peer="unconfined" >> > >> > to disable this alerts i have written this - >> > >> > no_email_alert >> > apparmor="DENIED" profile="docker-default" >> > IGNORED RULE >> > >> > >> > and restarted the ossec master service, still getting same alert >> > what am i missing here ? >> > >> >> The first step is to run the log message through ossec-logtest: >> ossec-testrule: Type one log per line. >> **Phase 1: Completed pre-decoding. >>full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608] >> type=1400 audit(1459258202.301:67688): apparmor="DENIED" >> operation="ptrace" profile="docker-default" pid=21882 comm="ps" >> requested_mask="trace" denied_mask="trace" peer="unconfined"' >>hostname: 'cmcloud' >>program_name: 'kernel' >>log: '[885866.238608] type=1400 audit(1459258202.301:67688): >> apparmor="DENIED" operation="ptrace" profile="docker-default" >> pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" >> peer="unconfined"' >> >> **Phase 2: Completed decoding. >>decoder: 'iptables' >>status: 'DENIED' >>extra_data: 'ptrace' >> >> **Phase 3: Completed filtering (rules). >>Rule id: '52002' >>Level: '3' >>Description: 'Apparmor DENIED' >> **Alert to be generated. >> >> >> So the log message is currently triggering rule 52002. We'll use this >> in our rule. >> The status is DENIED, which can also be useful. >> So we'll write a basic rule that tries to match on these: >> >> >> DENIED >> profile="docker-default" >> IGNORE RULE >> >> >> I add this to /var/ossec/rules/local_rules.xml. I set the level to 0 >> because I don't care about it. >> Then I rerun ossec-logtest: >> ossec-testrule: Type one log per line. >> **Phase 1: Completed pre-decoding. >>full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608] >> type=1400 audit(1459258202.301:67688): apparmor="DENIED" >> operation="ptrace" profile="docker-default" pid=21882 comm="ps" >> requested_mask="trace" denied_mask="trace" peer="unconfined"' >>hostname: 'cmcloud' >>program_name: 'kernel' >>log: '[885866.238608] type=1400 audit(1459258202.301:67688): >> apparmor="DENIED" operation="ptrace" profile="docker-default" >> pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" >> peer="unconfined"' >> >> **Phase 2: Completed decoding. >>decoder: 'iptables' >>status: 'DENIED' >>extra_data: 'ptrace' >> >> **Phase 3: Completed filtering (rules). >>Rule id: '81' >>Level: '0' >>Description: 'IGNORE RULE' >> >> With the custom rule in place the log message is adequately ignored. >> >> > -- >> > Regards, >> > Sandeep >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com . >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] How to ignore log ?
Hi Dan, Thanks for the detailed step and rule. I tried the same and still getting alert. On 29-Mar-2016 9:07 PM, "dan (ddp)" wrote: > On Tue, Mar 29, 2016 at 11:29 AM, sandeep dubey > wrote: > > Hi, > > > > I am getting this alert form all the hosts - > > > > Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400 > > audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace" > > profile="docker-default" pid=21882 comm="ps" requested_mask="trace" > > denied_mask="trace" peer="unconfined" > > > > to disable this alerts i have written this - > > > > no_email_alert > > apparmor="DENIED" profile="docker-default" > > IGNORED RULE > > > > > > and restarted the ossec master service, still getting same alert > > what am i missing here ? > > > > The first step is to run the log message through ossec-logtest: > ossec-testrule: Type one log per line. > **Phase 1: Completed pre-decoding. >full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608] > type=1400 audit(1459258202.301:67688): apparmor="DENIED" > operation="ptrace" profile="docker-default" pid=21882 comm="ps" > requested_mask="trace" denied_mask="trace" peer="unconfined"' >hostname: 'cmcloud' >program_name: 'kernel' >log: '[885866.238608] type=1400 audit(1459258202.301:67688): > apparmor="DENIED" operation="ptrace" profile="docker-default" > pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" > peer="unconfined"' > > **Phase 2: Completed decoding. >decoder: 'iptables' >status: 'DENIED' >extra_data: 'ptrace' > > **Phase 3: Completed filtering (rules). >Rule id: '52002' >Level: '3' >Description: 'Apparmor DENIED' > **Alert to be generated. > > > So the log message is currently triggering rule 52002. We'll use this > in our rule. > The status is DENIED, which can also be useful. > So we'll write a basic rule that tries to match on these: > > > DENIED > profile="docker-default" > IGNORE RULE > > > I add this to /var/ossec/rules/local_rules.xml. I set the level to 0 > because I don't care about it. > Then I rerun ossec-logtest: > ossec-testrule: Type one log per line. > **Phase 1: Completed pre-decoding. >full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608] > type=1400 audit(1459258202.301:67688): apparmor="DENIED" > operation="ptrace" profile="docker-default" pid=21882 comm="ps" > requested_mask="trace" denied_mask="trace" peer="unconfined"' >hostname: 'cmcloud' >program_name: 'kernel' >log: '[885866.238608] type=1400 audit(1459258202.301:67688): > apparmor="DENIED" operation="ptrace" profile="docker-default" > pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" > peer="unconfined"' > > **Phase 2: Completed decoding. >decoder: 'iptables' >status: 'DENIED' >extra_data: 'ptrace' > > **Phase 3: Completed filtering (rules). >Rule id: '81' >Level: '0' >Description: 'IGNORE RULE' > > With the custom rule in place the log message is adequately ignored. > > > -- > > Regards, > > Sandeep > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] How to ignore log ?
On Tue, Mar 29, 2016 at 11:29 AM, sandeep dubey wrote: > Hi, > > I am getting this alert form all the hosts - > > Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400 > audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace" > profile="docker-default" pid=21882 comm="ps" requested_mask="trace" > denied_mask="trace" peer="unconfined" > > to disable this alerts i have written this - > > no_email_alert > apparmor="DENIED" profile="docker-default" > IGNORED RULE > > > and restarted the ossec master service, still getting same alert > what am i missing here ? > The first step is to run the log message through ossec-logtest: ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400 audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"' hostname: 'cmcloud' program_name: 'kernel' log: '[885866.238608] type=1400 audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"' **Phase 2: Completed decoding. decoder: 'iptables' status: 'DENIED' extra_data: 'ptrace' **Phase 3: Completed filtering (rules). Rule id: '52002' Level: '3' Description: 'Apparmor DENIED' **Alert to be generated. So the log message is currently triggering rule 52002. We'll use this in our rule. The status is DENIED, which can also be useful. So we'll write a basic rule that tries to match on these: DENIED profile="docker-default" IGNORE RULE I add this to /var/ossec/rules/local_rules.xml. I set the level to 0 because I don't care about it. Then I rerun ossec-logtest: ossec-testrule: Type one log per line. **Phase 1: Completed pre-decoding. full event: 'Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400 audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"' hostname: 'cmcloud' program_name: 'kernel' log: '[885866.238608] type=1400 audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"' **Phase 2: Completed decoding. decoder: 'iptables' status: 'DENIED' extra_data: 'ptrace' **Phase 3: Completed filtering (rules). Rule id: '81' Level: '0' Description: 'IGNORE RULE' With the custom rule in place the log message is adequately ignored. > -- > Regards, > Sandeep > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] How to ignore log ?
Hi, I am getting this alert form all the hosts - *Mar 29 13:30:02 cmcloud kernel: [885866.238608] type=1400 audit(1459258202.301:67688): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=21882 comm="ps" requested_mask="trace" denied_mask="trace" peer="unconfined"* to disable this alerts i have written this - ** *no_email_alert* *apparmor="DENIED" profile="docker-default"* *IGNORED RULE* ** and restarted the ossec master service, still getting same alert what am i missing here ? -- Regards, Sandeep -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.