What hostname?. If you share your rules, you may help other user with the same issue.
Regards. On Tuesday, June 20, 2017 at 2:31:57 PM UTC+2, Fredrik Hilmersson wrote: > > Thanks alot Jesus, > > did solve it by creating two local rules one for rule 5715 matching the > srcip, > and one rule to match the hostname to ignore the 5501. > > Kind regards, > Fredrik > > Den tisdag 20 juni 2017 kl. 14:09:39 UTC+2 skrev Jesus Linares: >> >> Hi Fredrik, >> >> when you create a new ssh connection, the following alerts are generated: >> >> ** Alert 1497960059.10786: - >> syslog,sshd,authentication_success,pci_dss_10.2.5,2017 Jun 20 12:00:59 >> ip-10-0-0-10->/var/log/auth.log >> Rule: *5715 *(level 3) -> 'sshd: authentication success.'*Src IP: >> 10.10.10.10* >> User: root >> Jun 20 12:00:58 ip-10-0-0-10 sshd[2266]: Accepted publickey for root from >> 10.10.10.10 port 54950 ssh2: RSA >> 2d:b0:79:60:11:11:1c:b3:09:a4:1d:87:28:f2:64:11 >> ** Alert 1497960059.11162: - >> pam,syslog,authentication_success,pci_dss_10.2.5,2017 Jun 20 12:00:59 >> ip-10-0-0-10->/var/log/auth.log >> Rule: *5501 *(level 3) -> 'PAM: Login session opened.' >> User: root >> Jun 20 12:00:58 ip-10-0-0-10 sshd[2266]: pam_unix(sshd:session): session >> opened for user root by (uid=0) >> uid: 0 >> ** Alert 1497960059.11471: - >> syslog,sshd,authentication_success,pci_dss_10.2.5,2017 Jun 20 12:00:59 >> ip-10-0-0-10->/var/log/auth.log >> Rule: 5715 (level 3) -> 'sshd: authentication success.'*Src IP: 10.10.10.10* >> User: root >> Jun 20 12:00:58 ip-10-0-0-10 sshd[2268]: Accepted publickey for root from >> 10.10.10.10 port 54953 ssh2: RSA >> 2d:b0:79:60:11:11:1c:b3:09:a4:1d:87:28:f2:64:11 >> ** Alert 1497960059.11847: - >> pam,syslog,authentication_success,pci_dss_10.2.5,2017 Jun 20 12:00:59 >> ip-10-0-0-10->/var/log/auth.log >> Rule: *5501 *(level 3) -> 'PAM: Login session opened.' >> User: root >> Jun 20 12:00:58 ip-10-0-0-10 sshd[2268]: pam_unix(sshd:session): session >> opened for user root by (uid=0) >> uid: 0 >> >> >> >> As you can see, the alerts 5501 don't have *srcip*. For that reason your >> rule is not working. You can use *if_group* *sshd *in order to ignore: >> all ssh alerts with your IP (*if the IP is extracted as srcip*). >> >> I hope it helps. >> >> >> On Tuesday, June 20, 2017 at 1:53:41 PM UTC+2, Fredrik Hilmersson wrote: >>> >>> Hey Jesus, >>> >>> I'm only overwriting rule 5501 to increase its alert level to 7 (as I >>> test to use only send alert if 7 or < ). >>> >>> I did test the following: >>> >>> <rule id="100200" level="0"> >>> >>> <if_sid>5501</if_sid> >>> >>> <srcip>Remote IP</srcip> >>> >>> <description>Ignoring host remote IP</description> >>> >>> </rule> >>> >>> also: >>> >>> <rule id="100200" level="0"> >>> >>> <if_sid>5501</if_sid> >>> >>> <srcip>Remote IP</srcip> >>> <options>no_email_alert</options> >>> >>> <description>Ignoring host remote IP</description> >>> >>> </rule> >>> >>> However, I still get alerts sent to me when connecting to any ossec >>> agent through that remote host. >>> >>> Den måndag 19 juni 2017 kl. 16:27:47 UTC+2 skrev Jesus Linares: >>>> >>>> Your second rule is ignoring only alerts with level 2 and with your IP. >>>> I think you could use *if_sid*. >>>> >>>> Why are you overwriting the rule 5501?. >>>> >>>> Regards. >>>> >>>> >>>> >>>> On Monday, June 19, 2017 at 12:00:29 PM UTC+2, Fredrik Hilmersson wrote: >>>>> >>>>> Hello, >>>>> >>>>> So I got the following custom rule on the ossec server: >>>>> >>>>> <rule id="5501" level="7" overwrite="yes"> >>>>> >>>>> <if_sid>5500</if_sid> >>>>> >>>>> <match>session opened for user </match> >>>>> >>>>> <description>Login session opened.</description> >>>>> >>>>> <group>authentication_success,</group> >>>>> >>>>> </rule> >>>>> >>>>> Then afterwards I use the local rule on the ossec server to avoid >>>>> alert spam from a specific IP: >>>>> >>>>> <rule id="110000" level="0"> >>>>> >>>>> <if_level>2</if_level> >>>>> >>>>> <srcip>MYIP</srcip> >>>>> >>>>> <description>Ignoring ip MYIP</description> >>>>> >>>>> </rule> >>>>> >>>>> I tried with <match></match> instead of srcip but without success, the >>>>> ossec agents still generate alerts to my ossec server when connecting >>>>> from >>>>> MYIP. >>>>> >>>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
