All geek questions in one place

OSSEC | How to add an exclusion rule

I have a standard syslog_rules.xml (OSSEC 2.6.0). This is the standard rule for bad words in the /var/log/messages file:

 <var name="BAD_WORDS">core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var> ..... <rule id="1002" level="2"> <match>$BAD_WORDS</match> <options>alert_by_email</options> <description>Unknown problem somewhere in the system.</description> </rule> .....

How can I add or change this rule that uses $BAD_WORDS but excludes the phrase auxpropfunc error ? That is, something like this:

 <match>$BAD_WORDS</match> <match>!auxpropfunc error</match> <options>alert_by_email</options>

Any ideas?

+6
source share
2 answers

Your best bet is probably to write a rule to ignore this phrase. You can add something like the following to /var/ossec/rules/local_rules.xml :

 <rule id="SOMETHING" level="0"> <if_sid>1002</if_sid> <match>auxpropfunc error</match> <description>Ignore auxpropfunc error.</description> </rule>

You can then run the full log message through ossec-logtest to find out how OSSEC will parse it. You may need to add another option to this rule, or you may not.

+9
source

If you have a few words, you can add something like the following to / var / ossec / rules / local _rules.xml

 <var name="GOOD_WORDS">error_reporting|auxpropfunc error</var> <rule id="100002" level="0"> <if_sid>1002</if_sid> <match>$GOOD_WORDS</match> <description>Ignore good_words.</description> </rule>
+5
source

Source: https://habr.com/ru/post/906368/

More articles:


All Articles