[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] Turn off Rules
From: "dan (ddp)" <ddpbsd () gmail ! com>
Date: 2019-02-27 12:33:26
Message-ID: CAMyQvMoii9eFZ-Q7a28XCv_9foMNji=YL+Li8tbZPQC1T6hSZg () mail ! gmail ! com
[Download RAW message or body]
On Thu, Feb 21, 2019 at 10:12 AM FitLikeAGlove
<undoubtablycattastic@gmail.com> wrote:
>
>
>
> Hello, I'm getting a massive influx of emails for one rule and I would like to turn \
> it off or overwrite it.
> Alert output.
>
>
> Received From: (HOST) 192.168.1.206->WinEvtLog
> Rule: 18103 fired (level 5) -> "Windows error event."
> User: SYSTEM
> Portion of the log(s):
>
>
> 2019 Feb 21 04:11:19 WinEvtLog: System: ERROR(36887): Schannel: SYSTEM: NT \
> AUTHORITY: HOST.Domain.tld: A fatal alert was received from the remote endpoint. \
> The TLS protocol defined fatal alert code is 70.
> type: System
>
> I tried adding a rule to match this but it did not work. Using this as a template \
> --> https://groups.google.com/d/msg/ossec-list/fsHVu8w-alI/ylDwKXkN3CMJ I Added it \
> in the etc/rules/local_rules.xml folder of the manager under the default group \
> "<group name="local,syslog,sshd,">"
> <rule id="101013" level="2" frequency="10" timeframe="1600">
> <if_matched_sid>18154</if_matched_sid>
> <match>WinEvtLog: System: ERROR(36887):</match>
This will never match. WinEvtLog isn't part of the log message, it's
meta-data. See the ossec-logtest output below.
> <description>turn down the noise on this event</description>
> </rule>
>
> Can anyone let me know where I'm wrong? I never created a custom rule so I'm sure \
> I'm doing something wrong here.
This totally ignores that alert:
<rule id="300003" level="0">
<if_sid>18103</if_sid>
<description>ignore</description>
</rule>
The rule you posted creates an alert if 12 18103 alerts are triggered
within 1600 seconds.
Here's the output of ossec-logtest with my rule in place:
**Phase 1: Completed pre-decoding.
full event: '2019 Feb 21 04:11:19 WinEvtLog: System:
ERROR(36887): Schannel: SYSTEM: NT AUTHORITY: HOST.Domain.tld: A fatal
alert was received from the remote endpoint. The TLS protocol defined
fatal alert code is 70. type: System'
hostname: 'ix'
program_name: 'WinEvtLog'
log: 'System: ERROR(36887): Schannel: SYSTEM: NT AUTHORITY:
HOST.Domain.tld: A fatal alert was received from the remote endpoint.
The TLS protocol defined fatal alert code is 70. type: System'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'ERROR'
id: '36887'
extra_data: 'Schannel'
dstuser: 'SYSTEM'
system_name: 'HOST.Domain.tld'
**Phase 3: Completed filtering (rules).
Rule id: '300003'
Level: '0'
Description: 'ignore'
As you can see, the 'log:' line doesn't include WinEvtLog. The 'log:'
field is what '<match>' and '<regex>' will compare against.
You should be able to use '<program_name>WinEvtLog</program_name>' to
restrict it though.
> Thanks.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups \
> "ossec-list" group. To unsubscribe from this group and stop receiving emails from \
> it, send an email to ossec-list+unsubscribe@googlegroups.com. For more options, \
> visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic