Cheers! On Thursday, 16 June 2016 08:47:42 UTC+1, Jesus Linares wrote: > > Hi Tahir, > > I think there is no official way to do that. You could change the netstat > command to show some special string when it is an initial environment and > then if the output has that string, ignore it (using the proper alert). > > I hope it helps. > > Regards. > > On Monday, June 13, 2016 at 3:26:42 PM UTC+2, Tahir Hafiz wrote: >> >> We have a situation where we have an alert from ossec on an initial >> environment build which we wish to ignore. >> However, we only want to ignore the first alert and not subsequent >> similar alerts. >> >> Is there a way to whitelist (level=0, in the local_rules.xml file) for >> some event for the first ten minutes only? >> And then have the alerts (level=7 in this case) as per usual. >> >> The alert is below: >> >> ** Alert 1465821827.92581: mail - ossec, >> 2016 Jun 13 13:43:47 (monitoringxyz02) any->netstat -tan |grep LISTEN >> |grep -v 127.0.0.1 | sort >> Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port >> opened or closed).' >> ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort': >> tcp 0 0 0.0.0.0:22 0.0.0.0:* >> LISTEN >> tcp 0 0 0.0.0.0:25 0.0.0.0:* >> LISTEN >> tcp 0 0 0.0.0.0:5666 0.0.0.0:* >> LISTEN >> tcp6 0 0 :::22 :::* LISTEN >> tcp6 0 0 :::25 :::* LISTEN >> tcp6 0 0 :::5666 :::* LISTEN >> Previous output: >> ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort': >> tcp 0 0 0.0.0.0:22 0.0.0.0:* >> LISTEN >> tcp 0 0 0.0.0.0:25 0.0.0.0:* >> LISTEN >> tcp 0 0 0.0.0.0:5666 0.0.0.0:* >> LISTEN >> tcp6 0 0 :::22 :::* LISTEN >> tcp6 0 0 :::25 :::* LISTEN >> tcp6 0 0 :::443 :::* LISTEN >> tcp6 0 0 :::5666 :::* LISTEN >> >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.