Negative Match Criteria
28 views
Skip to first unread message
Eric
Feb 9, 2018, 10:38:47 AM2/9/18
to ossec-list
Hello,
I'm working on a few custom rules and I was wondering if there is a "not equal to" item within OSSEC custom rules that I can use. I have the following logs and I want everything but the ActiveSync ones.
Feb 9 00:00:00 XXXXX 2018-02-09 04:59:52 10.13.1.15 POST /autodiscover/autodiscover.xml &CorrelationID=<empty>;; 443 - us...@domain.com X.X.X.X SfBForMac/16.13.184.0000+(Mac+OSX+10.12.6) - 401 1 2148074254 0
Feb 9 00:00:00 XXXXX 2018-02-09 04:59:52 10.13.1.15 POST /EWS/Exchange.asmx &CorrelationID=<empty>;; 443 - us...@domain.com X.X.X.X SfBForMac/16.13.184.0000+(Mac+OSX+10.12.6) - 401 1 2148074254 0
Feb 9 00:00:01 XXXXX 2018-02-09 04:59:58 10.13.1.28 POST /Microsoft-Server-ActiveSync/default.eas ; 443 us...@domain.com X.X.X.X Android-Mail/7.10.22.174510681.release - 200 0 0 15
Right now I have the following logic and it works, but I'd prefer to just do a not equal to Activesync so I don't have to add additional regexes if a new log comes in.
<rule id="100211" level="5">
<if_sid>100210</if_sid>
<regex>autodiscovery.xml|Exchange.asmx</regex>
<regex>\.+\d+\s\w+.\w...@domain.com\.+ - 401 </regex>
<description>Email authentication failure.</description>
</rule>
Bruce Westbrook
Feb 9, 2018, 12:35:31 PM2/9/18
to ossec-list
Eric, short answer is unfortunately "no" (see my similar question recently under the subject "Rule Exception - How?"). The only portion of a rule that you can negate/exclude are for srcip and dstip (see http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html).
What I've found is that to exclude a subset of items you need to create a minimum of two rules. The first rule to catch only what you want to exclude, the second rule to capture all the rest. A simple example to simply ignore the ActiveSync log entries and do something with all the rest, using your log line examples and the rule you posted (not sure what rule #100210 is but assume it's to match the log lines for your rule):
<!-- Rule to ignore ActiveSync logs -->
<rule id="100211" level="0">
<if_sid>100210</if_sid>
<match>Microsoft-Server-ActiveSync</match>
<description>NOISE: Ignore ActiveSync log entries.</description>
</rule>
<!-- Rule to do something with all the other log lines -->
<rule id="100212" level="5">
<if_sid>100210</if_sid>
<description>Email authentication failure.</description>
</rule>
Hope that helps point you in the right direction.
Eric
Feb 9, 2018, 1:37:43 PM2/9/18
to ossec-list
Thanks Bruce. I didn't think about doing it that way but it definitely works. I really wish OSSEC would allow ! regex or just a simple <not match>Blah</not match>.
dan (ddp)
Feb 15, 2018, 7:10:39 AM2/15/18
to ossec...@googlegroups.com
On Fri, Feb 9, 2018 at 1:37 PM, Eric <eric.l...@gmail.com> wrote:
> Thanks Bruce. I didn't think about doing it that way but it definitely
> works. I really wish OSSEC would allow ! regex or just a simple <not
> match>Blah</not match>.
>
If you're interested in adding this feature, we use github. You can
> Thanks Bruce. I didn't think about doing it that way but it definitely
> works. I really wish OSSEC would allow ! regex or just a simple <not
> match>Blah</not match>.
>
submit a pull request
at https://github.com/ossec/osec-hids
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages