[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [Ossec-list] OSSEC Hids Notification - Alert level 7
From: daniel.cid () gmail ! com (Daniel Cid)
Date: 2006-05-18 3:12:17
Message-ID: b92e6f200605172012t325e6774y984e91f9637d9cfb () mail ! gmail ! com
[Download RAW message or body]
Hi Kayvan
You can do two things:
-Create a local_rules.xml file and include it on ossec.conf. On the local_rules,
you would add regexes to match these specific patterns that you want
to be ignored.
-If the log format is currently not supported (like this smbd), you
can create a smbd_rules.xml and add the rules you want there. After
that would be nice to
share it with everyone :)
Just as an example, I create a smbd_rules.xml that would ignore some of
these messages and set the right severity for the denied access one.
To test, add an "<include>smbd_rules.xml</include>" to your ossec.conf,
copy smbd_rules.xml to /var/ossec/rules/ and restart ossec.
You can download it from:
http://www.ossec.net/rules/smbd_rules.xml
Hope it helps :)
Thanks!
--
Daniel B. Cid
dcid @ ( at ) ossec.net
On 5/17/06, Kayvan A. Sylvan <kayvan at sylvan.com> wrote:
> Hi!
>
> I'm running the latest OSSEC.
>
> I get lots of these log messages. What's the recommended way of
> customizing the ruleset so that these types of log messages
> are ignored?
>
> Thanks.
>
> On Wed, May 17, 2006 at 11:49:09AM -0700, OSSEC HIDS wrote:
> > OSSEC HIDS Notification.
> > 2006 May 17 11:48:57
> >
> > Received From: /var/log/messages
> > Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
> > Portion of the log(s):
> >
> > smbd[12252]: getpeername failed. Error was Transport endpoint is not connected
> >
> >
> >
> > --END OF NOTIFICATION
> >
> >
> >
> > OSSEC HIDS Notification.
> > 2006 May 17 11:48:57
> >
> > Received From: /var/log/messages
> > Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
> > Portion of the log(s):
> >
> > smbd[12252]: Denied connection from (0.0.0.0)
> >
> >
> >
> > --END OF NOTIFICATION
> >
> >
> >
> > OSSEC HIDS Notification.
> > 2006 May 17 11:48:57
> >
> > Received From: /var/log/messages
> > Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
> > Portion of the log(s):
> >
> > smbd[12252]: getpeername failed. Error was Transport endpoint is not connected
> >
> >
> >
> > --END OF NOTIFICATION
> >
> >
> >
> > OSSEC HIDS Notification.
> > 2006 May 17 11:48:57
> >
> > Received From: /var/log/messages
> > Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
> > Portion of the log(s):
> >
> > smbd[12252]: Connection denied from 0.0.0.0
> >
> >
> >
> > --END OF NOTIFICATION
> >
> >
> >
> > OSSEC HIDS Notification.
> > 2006 May 17 11:48:57
> >
> > Received From: /var/log/messages
> > Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
> > Portion of the log(s):
> >
> > smbd[12252]: write_socket_data: write failure. Error = Connection reset by peer
> >
> >
> >
> > --END OF NOTIFICATION
> >
> >
> >
> > OSSEC HIDS Notification.
> > 2006 May 17 11:48:57
> >
> > Received From: /var/log/messages
> > Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
> > Portion of the log(s):
> >
> > smbd[12252]: write_socket: Error writing 5 bytes to socket 5: ERRNO = Connection reset by peer
> >
> >
> >
> > --END OF NOTIFICATION
> >
> >
> >
> > OSSEC HIDS Notification.
> > 2006 May 17 11:48:57
> >
> > Received From: /var/log/messages
> > Rule: 102 fired (level 7) -> "Unknown problem somewhere in the system.'"
> > Portion of the log(s):
> >
> > smbd[12252]: Error writing 5 bytes to client. -1. (Connection reset by peer)
> >
> >
> >
> > --END OF NOTIFICATION
> >
> >
> >
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic