OSSEC | How to add an exception rule
-
17-04-2021 - |
문제
I have the standard syslog_rules.xml (OSSEC 2.6.0).
This is the standard rule for bad words in the /var/log/messages
file:
<var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>
.....
<rule id="1002" level="2">
<match>$BAD_WORDS</match>
<options>alert_by_email</options>
<description>Unknown problem somewhere in the system.</description>
</rule>
.....
How can I add or modify this rule that uses $BAD_WORDS
, but excludes the auxpropfunc error
phrase? That is, something like this:
<match>$BAD_WORDS</match>
<match>!auxpropfunc error</match>
<options>alert_by_email</options>
Any ideas?
해결책
Your best option is probably to write a rule to ignore that phrase. You could add something like the following to /var/ossec/rules/local_rules.xml
:
<rule id="SOMETHING" level="0">
<if_sid>1002</if_sid>
<match>auxpropfunc error</match>
<description>Ignore auxpropfunc error.</description>
</rule>
You could then run the entire log message through ossec-logtest to see how OSSEC will analyze it. You may need to add another option into this rule, or you may not.
다른 팁
If you have more than one word, you could add something like the following to /var/ossec/rules/local_rules.xml
<var name="GOOD_WORDS">error_reporting|auxpropfunc error</var>
<rule id="100002" level="0">
<if_sid>1002</if_sid>
<match>$GOOD_WORDS</match>
<description>Ignore good_words.</description>
</rule>
제휴하지 않습니다 StackOverflow