OSSEC | How to add an exception rule
-
17-04-2021 - |
Frage
I have the standard syslog_rules.xml (OSSEC 2.6.0).
This is the standard rule for bad words in the /var/log/messages
file:
<var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
.....
<rule id="1002" level="2">
<match>$BAD_WORDS</match>
<options>alert_by_email</options>
<description>Unknown problem somewhere in the system.</description>
</rule>
.....
How can I add or modify this rule that uses $BAD_WORDS
, but excludes the auxpropfunc error
phrase? That is, something like this:
<match>$BAD_WORDS</match>
<match>!auxpropfunc error</match>
<options>alert_by_email</options>
Any ideas?
Lösung
Your best option is probably to write a rule to ignore that phrase. You could add something like the following to /var/ossec/rules/local_rules.xml
:
<rule id="SOMETHING" level="0">
<if_sid>1002</if_sid>
<match>auxpropfunc error</match>
<description>Ignore auxpropfunc error.</description>
</rule>
You could then run the entire log message through ossec-logtest to see how OSSEC will analyze it. You may need to add another option into this rule, or you may not.
Andere Tipps
If you have more than one word, you could add something like the following to /var/ossec/rules/local_rules.xml
<var name="GOOD_WORDS">error_reporting|auxpropfunc error</var>
<rule id="100002" level="0">
<if_sid>1002</if_sid>
<match>$GOOD_WORDS</match>
<description>Ignore good_words.</description>
</rule>
Lizenziert unter: CC-BY-SA mit Zuschreibung
Nicht verbunden mit StackOverflow