1

Does any one know how to ignore a /dev/loop device in ossec .

The Ubuntu 18 LTS has 2 loop drives

/dev/loop0       87M   87M     0 100% /snap/core/4486
/dev/loop1       87M   87M     0 100% /snap/core/4917

ossec: output: 'df -P': /dev/loop0           88704    88704          0     100% /snap/core/4486

I don't need alerts on this as it expected , ive tried adding in the mount paths as an ignore dir but no luck.

Any help or direction to get help would be fantastic.

alexander.polomodov
  • 1,060
  • 3
  • 10
  • 14
Bertos Garney
  • 13
  • 2

2 Answers2

1

To fix this I added to /var/ossec/rules/local_rules.xml:

<rule id="100100" level="0">
  <if_sid>531</if_sid>
  <match>cdrom|/media|usb|/mount|floppy|dvd|/dev/loop</match>
  <description>Ignoring external media & snap loop devices</description>
</rule>

source

Stuart Cardall
  • 531
  • 4
  • 7
0

For testing your rules chain concerning yours logs you can use ossec-logtest

For that, you execute this file by default in this path : /var/ossec/bin/ossec-logtest

And you copy/paste in it the alerts you want to exclude. Ossec will describe all its process for treating this alerts :

example :

**Phase 1: Completed pre-decoding.
       full event: 'Aug 10 10:42:27 my_server kernel: [40156.042928] IPTables-INPUT-Dropped: IN=eth0 OUT= MAC=36:fa:a6:e9:c3:3f:08:00:27:c4:89:63'
       hostname: 'my_server'
       program_name: 'kernel'
       log: '[40156.042928] IPTables-INPUT-Dropped: IN=eth0 OUT= MAC=36:fa:a6:e9:c3:3f:08:00:27:c4:89:63'

**Phase 2: Completed decoding.
       decoder: 'iptables'

**Phase 3: Completed filtering (rules).
       Rule id: '4101'
       Level: '5'
       Description: 'Firewall drop event.'
**Alert to be generated.

In the results, you will be able to see which rule is affected by yours logs and you will be able to modify this or these rules to have what you want.

Here a example for modifing yours rules

Sorcha
  • 1,315
  • 8
  • 11