How to ignore specific rules

[satish patel]

I am getting following alert constantly how to ignore it until i fix the issue ?

OSSEC HIDS Notification.
2011 Mar 15 07:18:52

Received From: (sebfwint1) 172.24.0.63->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on subcontainer 'ia_addr'
insert (-1)

[Gurtaj Singh]

add the following rule to your local_rules.xml

<rule id="700678" level="7">
<options>no_email_alert</options>
<match>error on subcontainer 'ia_addr' insert (-1)</match>
<description>IGNORED RULE</description>
</rule>

The above rule takes that alert as a level 7(which by default wont be ignored but note the options command-due to which it wont be alerted on)
If ever you want to see if you properly fixed the issue,remove the options command and keep the rest. That way it wont be ignored.

Another alternative is call it a level 1 or 2 and completely ignore it(no logs) or use the no_log command under options.

[satish patel]

Perfect!!! Thanks a lot..

[satish patel]

One question i used "no_log" that means it will stop alert and log both ?

[Gurtaj Singh]

yes ...i recommend not using that...u might wanna keep the logging on.

[dan (ddp)]

If you don't want it to email or log, you should just lower the level to 0.
Adding the no email option doesn't really ignore the log message, it
just doesn't send out an email. Lowering the level to 0 ignores it.

Since you're aware of the issue, the alert looks pretty worthless.

[Gurtaj Singh]

dan thats exactly what my response said.....
:(

[satish patel]

hey boys,

I did following and restart ossec but still getting alert :( do i
need to specify 1002 rules ID somewhere here?

<rule id="100002" level="0">
<options>no_email_alert</options>
<match>snmpd</match>

<description>IGNORED RULE</description>
</rule>

[Castle, Shane]

Sigh. http://www.ossec.net/wiki/Know_How:Ignore_Rules

--
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH

[Gurtaj Singh]

U cant just match snmpd......thats the program_name there is a way to
match that using a decoder but dont do thast..ull get confused .
Just use the one i made and lower it too lvl 0
On Tue, 2011-03-15 at 13:13 -0400, dan (ddp) wrote:
> Hi Satish,
> You're doing it wrong.
>
> Look at the output of the log message in ossec-logtest:
> # cd /var/ossec/bin
> # ./ossec-logtest
> 2011/03/15 13:10:31 ossec-testrule: INFO: Reading local decoder file.
> 2011/03/15 13:10:31 ossec-testrule: INFO: Reading loading the lists
> file: 'lists/blocked.txt.cdb'
> 2011/03/15 13:10:31 ossec-testrule: INFO: Started (pid: 1010).
> ossec-testrule: Type one log per line.

>
> Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on subcontainer 'ia_addr'
> insert (-1)
>
>

> **Phase 1: Completed pre-decoding.
> full event: 'Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on
> subcontainer 'ia_addr' insert (-1)'
> hostname: 'sebfwint1'
> program_name: 'snmpd'
> log: 'error on subcontainer 'ia_addr' insert (-1)'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> **Phase 3: Completed filtering (rules).
> Rule id: '1002'
> Level: '2'
> Description: 'Unknown problem somewhere in the system.'
> **Alert to be generated.
>
> The <match> option uses the section labeled "log:" to match against.
> snmpd is not in that section, it is the program_name.
>
> If you're trying to ignore all messages coming from snmpd (a silly
> thing to do), you'd need to use <program_name>snmpd</program_name>. If
> you want to ignore this message specifically, use the program_name and
> a <match> statement (based on the log: output above).
> HTH,
> dan

[dan (ddp)]

Hi Satish,
You're doing it wrong.

Look at the output of the log message in ossec-logtest:
# cd /var/ossec/bin
# ./ossec-logtest
2011/03/15 13:10:31 ossec-testrule: INFO: Reading local decoder file.
2011/03/15 13:10:31 ossec-testrule: INFO: Reading loading the lists
file: 'lists/blocked.txt.cdb'
2011/03/15 13:10:31 ossec-testrule: INFO: Started (pid: 1010).
ossec-testrule: Type one log per line.

Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on subcontainer 'ia_addr'
insert (-1)

**Phase 1: Completed pre-decoding.
full event: 'Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on
subcontainer 'ia_addr' insert (-1)'
hostname: 'sebfwint1'
program_name: 'snmpd'
log: 'error on subcontainer 'ia_addr' insert (-1)'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.

The <match> option uses the section labeled "log:" to match against.
snmpd is not in that section, it is the program_name.

If you're trying to ignore all messages coming from snmpd (a silly
thing to do), you'd need to use <program_name>snmpd</program_name>. If
you want to ignore this message specifically, use the program_name and
a <match> statement (based on the log: output above).
HTH,
dan

On Tue, Mar 15, 2011 at 12:53 PM, satish patel <sati...@gmail.com> wrote:

[Gurtaj Singh]

oh and i got the ossec wui working dan..a minor error in the server name
xDD
but i am disappointed its useless...gahhh
will use splunk now..
hope my above reply helped u satish
GS

On Tue, 2011-03-15 at 13:13 -0400, dan (ddp) wrote:

[Tanishk Lakhaani]

Hi,
Set the level to 0 (zero) in local_rules.xml


Regards
Tanishk Lakhaani
Sent from BlackBerry® on Airtel

[satish patel]

I did following but still not working :(

<rule id="100003" level="0">
<if_sid>1002</if_sid>

<options>no_email_alert</options>
<match>snmpd</match>
<description>IGNORED RULE</description>
</rule>

[Gurtaj Singh]

OMG DUDE.......listen to me and dan....U CANT use <match> for
snmpd....JUST COPY MY RULE gAHHHHHHHHHHHH
dan plz reply to him again ...since you are the one with patience...
<match> works for ONLY THE LOG PART OF THE MESSAGE!!
use <program_name>snmpd</program_name>

......

[dan (ddp)]

You're doing it wrong.

Look at the output of the log message in ossec-logtest:
# cd /var/ossec/bin
# ./ossec-logtest
2011/03/15 13:10:31 ossec-testrule: INFO: Reading local decoder file.
2011/03/15 13:10:31 ossec-testrule: INFO: Reading loading the lists
file: 'lists/blocked.txt.cdb'
2011/03/15 13:10:31 ossec-testrule: INFO: Started (pid: 1010).
ossec-testrule: Type one log per line.

Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on subcontainer 'ia_addr'
insert (-1)

**Phase 1: Completed pre-decoding.
full event: 'Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on
subcontainer 'ia_addr' insert (-1)'
hostname: 'sebfwint1'
program_name: 'snmpd'
log: 'error on subcontainer 'ia_addr' insert (-1)'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.

The <match> option uses the section labeled "log:" to match against.
snmpd is not in that section, it is the program_name.

If you're trying to ignore all messages coming from snmpd (a silly
thing to do), you'd need to use <program_name>snmpd</program_name>. If
you want to ignore this message specifically, use the program_name and
a <match> statement (based on the log: output above).
HTH,
dan

[satish patel]

Added. hope it will stop alerting..

<match>error on subcontainer 'ia_addr' insert (-1)</match>

[Satish Patel]

You are right!! It works

--
Sent from my iPhone

On Mar 15, 2011, at 3:08 PM, Gurtaj Singh <gurtaj...@esentire.com>
wrote:

> OMG DUDE.......listen to me and dan....U CANT use <match> for

[Gurtaj Singh]

finally lol.....nice to help