<rule id="100005" level="0"><if_sid>1002</if_sid><hostname>testserver1|testserver2</hostname><program_name>mip</program_name><regex>HAEngine\.*INFO|HAEngine\.*WARNING|Failed to send pseudo-TCP segment frame</regex><description>Ignore MIP Alerts</description></rule>
Nov 12 13:48:50 testserver1 mip: : HAEngine : WARNING : 2 : Replay protection check failed**Phase 1: Completed pre-decoding.full event: 'Nov 12 13:48:50 testserver1 mip: : HAEngine : WARNING : 2 : Replay protection check failed 'hostname: 'testserver1'program_name: 'mip'log: ' : HAEngine : WARNING : 2 : Replay protection check failed '**Phase 2: Completed decoding.No decoder matched.**Phase 3: Completed filtering (rules).Rule id: '100007'Level: '0'Description: 'Ignore MIP Alerts'
OSSEC HIDS Notification.2015 Nov 12 14:58:37Received From: (testserver1)Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."Portion of the log(s):Nov 12 14:58:36 testserver1 mip: : HAEngine : WARNING : 2 : Replay protection check failed--END OF NOTIFICATION
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Or are you sure the manager restarted? Most of the time when I've seen
this behavior on the list analysisd did not actually stop, so it
didn't pickup the new rules. Running `/var/ossec/bin/ossec-control
stop`, then verifying all of the processes are stopped is a prudent
course of action.
I'm waiting to see if it generates an alert.
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/uXdwCE64oRU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
Ok, this information is working for me as well. I have tested it on a
local install and an agent/server install (changing the hostname as
appropriate).
Is the agent name testserver? Do the hostname of the system and the
agent name match?
Try setting the rule to level 2
Try setting the rule to level 2
I was hoping it would help with the production use, but since it was
working for me I guess that doesn't matter. I'm pretty much stumped at
the moment.
Okay try this:
Temporaly remove "<options>alert_by_email</options>" from rule 1002 on syslog_rules.xml.Now add "<options>alert_by_email</options>" in your custom rule.Restart OSSEC and generate the alert.What im trying here is to stop OSSEC from sending 1002 rule email, i think that "alert_by_email" option force OSSEC to send an email alert and stop him to keep looking to reach 100007 rule. Just guessing.Btw, sorry for my english, as you would imagine, it is not my mother language.
OK, I'm a little lost as to what this is trying to prove, but the updated settings are in place. I'm waiting for an alert to come through.
With the updated alert_by_email settings, this has stopped the email alerts. I see it hitting the WebUI as alert level 2, but no emails are coming in.
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
--
---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/uXdwCE64oRU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
On the OSSEC server, open /var/ossec/rules/syslog_rules.xml. Search for rule 1002, right there towards the top. Note the options element, which contains alert_by_email. That option tells OSSEC to ignore your email_alert_level and just send an email every time this rule matches. As you have seen, rule 1002 is a catch-all heuristics rule that attempts to identify problems in logs based on certain keywords.
If you are still attempting to troubleshoot your 100007 rule and you can’t seem to figure it out using ossec-logtest, an alternative approach would be selectively eliminating rule filters to see which element is causing 100007 to not match. For example, remove the hostname element, restart ossec, then trigger the error condition and see if the filtering works. If that doesn’t help, restore the hostname element and repeat those steps with the program_name element removed, then with the regex element removed and so on. I’ve got a few 1002 filter rules in local_rules.xml and there’s no magic to it. Just have to make sure all your rule filters are setup correctly.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
On the OSSEC server, open /var/ossec/rules/syslog_rules.xml. Search for rule 1002, right there towards the top. Note the options element, which contains alert_by_email. That option tells OSSEC to ignore your email_alert_level and just send an email every time this rule matches. As you have seen, rule 1002 is a catch-all heuristics rule that attempts to identify problems in logs based on certain keywords.
And strangely enough, this works just fine for me (ignored when fed
through logger).
Can you update to the latest OSSEC source from github and try that?
Last idea at the moment:
Copy archives.log. Open the copy in a text editor. Find an entry you
want to test against and delete everything else.
Delete the archives.log header from your chosen entry.
Run that through ossec-logtest:
`cat copy-of-archives.log | /var/ossec/bin/ossec-logtest`
See if it still gets reported as a 0. Maybe there's some odd spacing
issue that isn't maintained when copy/pasting it.
--
Is this the only rule in your local_rules.xml that isn't working, or are all rules in your local_rules.xml not working?
On Mon, Nov 30, 2015 at 5:28 PM, Ryan Schulze wrote:Is this the only rule in your local_rules.xml that isn't working, or are all rules in your local_rules.xml not working?
So far, this is the only rule that I just can't seem to stop emailing. I have other rules, and when I check them against ossec-logtest, they come back as "Level: 0", which I've correctly configured. I wait, and no email alerts come in, which is the expected behavior. In fact, I have about 12 rules filtering out various known issues. It's just this one that will not stop emailing, and wouldn't you know it, it is rather a common "alert" that comes in a few hundred times a day.
Dec 1 17:09:28 10.10.10.10 46508: *Dec 1 17:12:31.321: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=4705 spi=F1D214CD seqno=F1D214CD
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Dec 1 17:09:28 10.10.10.10 46508: *Dec 1 17:12:31.321: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=4705 spi=F1D214CD seqno=F1D214CD