OSSEC HIDS Notification.
2011 Mar 15 07:18:52
Received From: (sebfwint1) 172.24.0.63->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on subcontainer 'ia_addr'
insert (-1)
Since you're aware of the issue, the alert looks pretty worthless.
I did following and restart ossec but still getting alert :( do i
need to specify 1002 rules ID somewhere here?
<rule id="100002" level="0">
<options>no_email_alert</options>
<match>snmpd</match>
<description>IGNORED RULE</description>
</rule>
--
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH
Look at the output of the log message in ossec-logtest:
# cd /var/ossec/bin
# ./ossec-logtest
2011/03/15 13:10:31 ossec-testrule: INFO: Reading local decoder file.
2011/03/15 13:10:31 ossec-testrule: INFO: Reading loading the lists
file: 'lists/blocked.txt.cdb'
2011/03/15 13:10:31 ossec-testrule: INFO: Started (pid: 1010).
ossec-testrule: Type one log per line.
Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on subcontainer 'ia_addr'
insert (-1)
**Phase 1: Completed pre-decoding.
full event: 'Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on
subcontainer 'ia_addr' insert (-1)'
hostname: 'sebfwint1'
program_name: 'snmpd'
log: 'error on subcontainer 'ia_addr' insert (-1)'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
The <match> option uses the section labeled "log:" to match against.
snmpd is not in that section, it is the program_name.
If you're trying to ignore all messages coming from snmpd (a silly
thing to do), you'd need to use <program_name>snmpd</program_name>. If
you want to ignore this message specifically, use the program_name and
a <match> statement (based on the log: output above).
HTH,
dan
On Tue, Mar 15, 2011 at 12:53 PM, satish patel <sati...@gmail.com> wrote:
<rule id="100003" level="0">
<if_sid>1002</if_sid>
<options>no_email_alert</options>
<match>snmpd</match>
<description>IGNORED RULE</description>
</rule>
......
Look at the output of the log message in ossec-logtest:
# cd /var/ossec/bin
# ./ossec-logtest
2011/03/15 13:10:31 ossec-testrule: INFO: Reading local decoder file.
2011/03/15 13:10:31 ossec-testrule: INFO: Reading loading the lists
file: 'lists/blocked.txt.cdb'
2011/03/15 13:10:31 ossec-testrule: INFO: Started (pid: 1010).
ossec-testrule: Type one log per line.
Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on subcontainer 'ia_addr'
insert (-1)
**Phase 1: Completed pre-decoding.
full event: 'Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on
subcontainer 'ia_addr' insert (-1)'
hostname: 'sebfwint1'
program_name: 'snmpd'
log: 'error on subcontainer 'ia_addr' insert (-1)'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
The <match> option uses the section labeled "log:" to match against.
snmpd is not in that section, it is the program_name.
If you're trying to ignore all messages coming from snmpd (a silly
thing to do), you'd need to use <program_name>snmpd</program_name>. If
you want to ignore this message specifically, use the program_name and
a <match> statement (based on the log: output above).
HTH,
dan
<match>error on subcontainer 'ia_addr' insert (-1)</match>
--
Sent from my iPhone
On Mar 15, 2011, at 3:08 PM, Gurtaj Singh <gurtaj...@esentire.com>
wrote:
> OMG DUDE.......listen to me and dan....U CANT use <match> for