<!--We will need a rule in /usr/local/ossec/rules/local_rules.xml to
disregard
netstat hidden port alerts on vserver guests as follows. Subsequent
vserver guests will each need a hostname entry: -->
<rule id="100005" level="0">
<if_sid>510</if_sid>
<hostname>name1</hostname>
<hostname>name2</hostname>
<hostname>name3</hostname>
<regex>tcp.*hidden.*netstat</regex>
<description>Stop netstat rootkit alerts
on vserver guests</description>
</rule>
In our case, we decided to do all OSSEC monitoring from the VServer
host. The only service we wanted to activate was rootkit which I
believe also comes in a standalone version. Unfortunately, in our
version of the kernel (needed to deal with a critical iSCSI bug),
rootkit causes kernel panics so we are not using it. Hope this helps -
John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsul...@opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
That rule worked to John by luck :) Maybe because rootcheck only alert
once (per port per host) on
that issue, but it is probably still happening if they look at the
rootcheck-control tool.
First, to match on multiple hostnames you need to use a pipe "|" to
separate them:
<hostname>name1|name2|name3</hostname>
The OSSEC regex also expects a backslash before them, like:
<regex>tcp\+hidden\+netstat</regex>
I would change the rule to:
<rule id="100005" level="0">
<if_sid>510</if_sid>
<hostname>name1|name2|name3</hostname>
<match>trojaned version of netstat</match>
<description>Stop netstat rootkit alerts on vserver guests</description>
</rule>
*but you can remove the <hostname> tag if you want for all your systems.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
I had an issue with my agents and I would like to set up an alert
Thanks