Getting OSSEC to ignore specific alerts
597 views
Skip to first unread message
Tahir Hafiz
May 31, 2016, 12:00:22 PM5/31/16
to ossec-list
How do I get OSSEC to ignore a specific textual alert and not show it in the alerts file?
I know I can create a local_rules.xml file and get it to ignore a specific rule but I need something more specific than that.
This is the alert that I see in the alerts file (/var/ossec/logs/alerts/alerts.log):
** Alert 1464690578.111537: mail - ossec,rootcheck,
2016 May 31 11:29:38 (XYZabc02) any->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
File '/dev/.blkid.tab.old' present on /dev. Possible hidden file.
So I would like OSSEC to not show the above alert in the alerts file.
Is there a way to do that?
More generally is there a way to whitelist specific alerts so they don't show up in the alerts file.
I see that the guy here has the same problem but his solution does not work:
https://botbot.me/freenode/ossec/2016-03-01/?tz=America/Los_Angeles
Cheers,
Tahir
I know I can create a local_rules.xml file and get it to ignore a specific rule but I need something more specific than that.
This is the alert that I see in the alerts file (/var/ossec/logs/alerts/alerts.log):
** Alert 1464690578.111537: mail - ossec,rootcheck,
2016 May 31 11:29:38 (XYZabc02) any->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
File '/dev/.blkid.tab.old' present on /dev. Possible hidden file.
So I would like OSSEC to not show the above alert in the alerts file.
Is there a way to do that?
More generally is there a way to whitelist specific alerts so they don't show up in the alerts file.
I see that the guy here has the same problem but his solution does not work:
https://botbot.me/freenode/ossec/2016-03-01/?tz=America/Los_Angeles
Cheers,
Tahir
dan (ddp)
May 31, 2016, 12:42:10 PM5/31/16
to ossec...@googlegroups.com
On Tue, May 31, 2016 at 12:00 PM, Tahir Hafiz <tahir...@gmail.com> wrote:
> How do I get OSSEC to ignore a specific textual alert and not show it in the
> alerts file?
> I know I can create a local_rules.xml file and get it to ignore a specific
> rule but I need something more specific than that.
>
> This is the alert that I see in the alerts file
> (/var/ossec/logs/alerts/alerts.log):
>
> ** Alert 1464690578.111537: mail - ossec,rootcheck,
> 2016 May 31 11:29:38 (XYZabc02) any->rootcheck
> Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
> File '/dev/.blkid.tab.old' present on /dev. Possible hidden file.
>
>
> So I would like OSSEC to not show the above alert in the alerts file.
> Is there a way to do that?
>
> More generally is there a way to whitelist specific alerts so they don't
> show up in the alerts file.
>
Have you tried creating a child rule that looks for "/dev/.blkid.tab.old"?
> How do I get OSSEC to ignore a specific textual alert and not show it in the
> alerts file?
> I know I can create a local_rules.xml file and get it to ignore a specific
> rule but I need something more specific than that.
>
> This is the alert that I see in the alerts file
> (/var/ossec/logs/alerts/alerts.log):
>
> ** Alert 1464690578.111537: mail - ossec,rootcheck,
> 2016 May 31 11:29:38 (XYZabc02) any->rootcheck
> Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
> File '/dev/.blkid.tab.old' present on /dev. Possible hidden file.
>
>
> So I would like OSSEC to not show the above alert in the alerts file.
> Is there a way to do that?
>
> More generally is there a way to whitelist specific alerts so they don't
> show up in the alerts file.
>
> I see that the guy here has the same problem but his solution does not work:
> https://botbot.me/freenode/ossec/2016-03-01/?tz=America/Los_Angeles
>
> Cheers,
> Tahir
>
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Tahir Hafiz
Jun 1, 2016, 5:17:05 AM6/1/16
to ossec-list
Creating a child rule like that looks for "/dev/.blkid.tab.old" and ignores it, okay, I am trying to find examples of such things.
Do you have a link or any examples of such a thing?
I don't need to create such a rule in local_rules.xml do I?
I think I should create such a rule in ossec_rules.xml where the 510 rule exist.
Is that correct?
<rule id="510" level="7">
<if_sid>509</if_sid>
<description>Host-based anomaly detection event (rootcheck).</description>
<group>rootcheck,</group>
<if_fts />
</rule>
Above is the stanza, I will try to add to it by reading this pdf about rules:
http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf
Do you have a link or any examples of such a thing?
I don't need to create such a rule in local_rules.xml do I?
I think I should create such a rule in ossec_rules.xml where the 510 rule exist.
Is that correct?
<rule id="510" level="7">
<if_sid>509</if_sid>
<description>Host-based anomaly detection event (rootcheck).</description>
<group>rootcheck,</group>
<if_fts />
</rule>
Above is the stanza, I will try to add to it by reading this pdf about rules:
http://www.ossec.net/ossec-docs/OSSEC-book-ch4.pdf
dan (ddp)
Jun 1, 2016, 7:59:42 AM6/1/16
to ossec...@googlegroups.com
On Wed, Jun 1, 2016 at 5:17 AM, Tahir Hafiz <tahir...@gmail.com> wrote:
> Creating a child rule like that looks for "/dev/.blkid.tab.old" and ignores
> it, okay, I am trying to find examples of such things.
> Do you have a link or any examples of such a thing?
>
The rules files are full of examples.
> Creating a child rule like that looks for "/dev/.blkid.tab.old" and ignores
> it, okay, I am trying to find examples of such things.
> Do you have a link or any examples of such a thing?
>
> I don't need to create such a rule in local_rules.xml do I?
>
> I think I should create such a rule in ossec_rules.xml where the 510 rule
> exist.
> Is that correct?
>
get overwritten during an upgrade, and your changes would be lost.
Something like (and I haven't tested this or anything):
<rule id="800001" level="0">
<if_sid>510</if_sid>
<match>/dev/.blkid.tab.old</match>
<description>Ignore /dev/.blkid.tab.old</description>
</rule>
Tahir Hafiz
Jun 1, 2016, 8:36:53 AM6/1/16
to ossec-list
Thanks will give it a try in the local_rules.xml
Am I right in thinking that Level 0 still keeps a log in /var/ossec/logs/ossec.log, it's just the alerts file that the log is kept out of?
Am I right in thinking that Level 0 still keeps a log in /var/ossec/logs/ossec.log, it's just the alerts file that the log is kept out of?
Tahir Hafiz
Jun 1, 2016, 9:28:08 AM6/1/16
to ossec-list
Actually, think it's going to be this because the sid is 509.
<rule id="100002" level="0">
<if_sid>509</if_sid>
<rule id="100002" level="0">
<if_sid>509</if_sid>
<match>/dev/.blkid.tab.old</match>
<description>Ignore /dev/.blkid.tab.old</description>
</rule>
Will try to test this today. I have other whitelisting (level 0) stuff to do as well.
dan (ddp)
Jun 1, 2016, 9:55:12 AM6/1/16
to ossec...@googlegroups.com
On Wed, Jun 1, 2016 at 8:36 AM, Tahir Hafiz <tahir...@gmail.com> wrote:
> Thanks will give it a try in the local_rules.xml
>
> Am I right in thinking that Level 0 still keeps a log in
> /var/ossec/logs/ossec.log, it's just the alerts file that the log is kept
> out of?
>
No, level 0 does not create a log entry. And alerts are stored in
> Thanks will give it a try in the local_rules.xml
>
> Am I right in thinking that Level 0 still keeps a log in
> /var/ossec/logs/ossec.log, it's just the alerts file that the log is kept
> out of?
>
/var/ossec/logs/alerts/alerts.log, not ossec.log.
Reply all
Reply to author
Forward
0 new messages