Exclude a event based on the log message

[Björn]

Hello,

I try to exclude this event:

OSSEC HIDS Notification.
2015 Jul 02 12:12:14

Received From: (jump02) 10.13.16.7->\Logfiles\Firewall\pfirewall.log
Rule: 4151 fired (level 10) -> "Multiple Firewall drop events from same source."
Portion of the log(s):

2015-07-02 12:11:59 DROP TCP 10.13.1.6 10.13.16.7 443 3573 40 A 2313797595 2078887944 7504 - - - RECEIVE
2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE
2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563535 7504 - - - RECEIVE
2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A 1983683511 660455107 7504 - - - RECEIVE
2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A 1983683511 660455106 7504 - - - RECEIVE
2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A 1348841012 1715023945 7504 - - - RECEIVE
2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A 1348841012 1715023944 7504 - - - RECEIVE
2015-07-02 12:11:50 DROP TCP 10.13.1.6 10.13.16.7 443 3566 40 A 1087397228 121698030 7504 - - - RECEIVE
2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A 524181289 2382348392 7504 - - - RECEIVE
2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A 524181289 2382348391 7504 - - - RECEIVE
2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885 1189402708 7504 - - - RECEIVE
2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885 1189402707 7504 - - - RECEIVE



 --END OF NOTIFICATION

with this rule without success:

 <rule id="100002" level="10">
 <if_sid>4151</if_sid>
 <srcip>10.13.16.7</srcip>
 <match>10.13.1.6</match>
 <description>#100882</description>
 </rule>


But we still receiving mails for this events. Do you got an idea what's wrong? 

Thanks! 

[dan (ddp)]

On Aug 3, 2015 11:41 AM, "Björn" <in...@bb-it.biz> wrote:
>
> Hello,
>
> I try to exclude this event:
>
>
> OSSEC HIDS Notification.
> 2015 Jul 02 12:12:14
>
> Received From: (jump02) 10.13.16.7->\Logfiles\Firewall\pfirewall.log
> Rule: 4151 fired (level 10) -> "Multiple Firewall drop events from same source."
> Portion of the log(s):
>
> 2015-07-02 12:11:59 DROP TCP 10.13.1.6 10.13.16.7 443 3573 40 A 2313797595 2078887944 7504 - - - RECEIVE

I can't run these throughossec-logtest at the moment, but does the 16.7 address decode to be the source ip?

> 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE
> 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563535 7504 - - - RECEIVE
> 2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A 1983683511 660455107 7504 - - - RECEIVE
> 2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A 1983683511 660455106 7504 - - - RECEIVE
> 2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A 1348841012 1715023945 7504 - - - RECEIVE
> 2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A 1348841012 1715023944 7504 - - - RECEIVE
> 2015-07-02 12:11:50 DROP TCP 10.13.1.6 10.13.16.7 443 3566 40 A 1087397228 121698030 7504 - - - RECEIVE
> 2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A 524181289 2382348392 7504 - - - RECEIVE
> 2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A 524181289 2382348391 7504 - - - RECEIVE
> 2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885 1189402708 7504 - - - RECEIVE
> 2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885 1189402707 7504 - - - RECEIVE
>
>
>
>  --END OF NOTIFICATION
>
>
> with this rule without success:
>
>  <rule id="100002" level="10">
>  <if_sid>4151</if_sid>
>  <srcip>10.13.16.7</srcip>
>  <match>10.13.1.6</match>
>  <description>#100882</description>
>  </rule>
>
>
> But we still receiving mails for this events. Do you got an idea what's wrong?
>
> Thanks!
>
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Brent Morris]

**Phase 1: Completed pre-decoding.

       full event: '2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885 1189402707 7504 - - - RECEIVE'

       hostname: 'ossec'

       program_name: '(null)'

       log: '2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885 1189402707 7504 - - - RECEIVE'

**Phase 2: Completed decoding.

       decoder: 'windows-date-format'

       action: 'DROP'

       proto: 'TCP'

       srcip: '10.13.1.6'

       dstip: '10.13.16.7'

       srcport: '443'

       dstport: '3562'

**Phase 3: Completed filtering (rules).

       Rule id: '4101'

       Level: '5'

       Description: 'Firewall drop event.

Against rule.

 <rule id="100002" level="10">
 <if_sid>4151</if_sid>
 <srcip>10.13.16.7</srcip>
 <match>10.13.1.6</match>
 <description>#100882</description>
 </rule>

looks like the srcip is incorrect.  as is the rule you're lookign for.  Also, depending on your alert level, level 10 may still generate emails.  You may want to rewrite that as 0.  Something like this.

 <rule id="100002" level="0">
 <if_sid>4101</if_sid>
 <srcip>10.13.1.6</srcip>
 <description>Quiet 10.13.1.6 noise</description>
 </rule>

[Björn]

bin/ossec-logtest
2015/08/03 17:47:39 ossec-testrule: INFO: Reading local decoder file.
2015/08/03 17:47:39 ossec-testrule: INFO: Started (pid: 22641).
ossec-testrule: Type one log per line.

2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE

**Phase 1: Completed pre-decoding.
       full event: '2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE'
       hostname: 'webint'
       program_name: '(null)'
       log: '2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE'

**Phase 2: Completed decoding.
       decoder: 'windows-date-format'
       action: 'DROP'
       proto: 'TCP'
       srcip: '10.13.1.6'
       dstip: '10.13.16.7'
       srcport: '443'

       dstport: '3572'

**Phase 3: Completed filtering (rules).
       Rule id: '4101'
       Level: '5'

       Description: 'Firewall drop event.'
^C

Yes, I think so.

[dan (ddp)]

On Aug 3, 2015 11:56 AM, "Björn" <in...@bb-it.biz> wrote:
>
> bin/ossec-logtest
> 2015/08/03 17:47:39 ossec-testrule: INFO: Reading local decoder file.
> 2015/08/03 17:47:39 ossec-testrule: INFO: Started (pid: 22641).
> ossec-testrule: Type one log per line.
>
>
> 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE
>
>
> **Phase 1: Completed pre-decoding.
>        full event: '2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE'
>        hostname: 'webint'
>        program_name: '(null)'
>        log: '2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE'
>
>
> **Phase 2: Completed decoding.
>        decoder: 'windows-date-format'
>        action: 'DROP'
>        proto: 'TCP'
>        srcip: '10.13.1.6'
>        dstip: '10.13.16.7'

16.7 is being decoded as the destination IP, 1.6 is the source.

[Björn]

Ah okay, thanks for your help.
I got and understand it now! It seems we got multiple srcip's.

[dan (ddp)]

On Aug 4, 2015 8:45 AM, "Björn" <in...@bb-it.biz> wrote:
>
> Ah okay, thanks for your help.
> I got and understand it now! It seems we got multiple srcip's.
>

I only see 1 source ip in the log samples you provided.