Of course my bad, this is how I did set it up. <rule id="100202" level="0"> <if_group>sshd</if_group> <match>MYIP</match> <options>no_email_alert</options> <description>Ignore rule 5715 for host </description> </rule>
<rule id="100203" level="0"> <if_sid>5501</if_sid> <hostname>agent server hostname (ex. webserver01)</hostname> <options>no_email_alert</options> <description>Ignore rule 5501 for host </description> </rule> Den onsdag 21 juni 2017 kl. 12:00:04 UTC+2 skrev Jesus Linares: > > What hostname?. > > If you share your rules, you may help other user with the same issue. > > Regards. > > On Tuesday, June 20, 2017 at 2:31:57 PM UTC+2, Fredrik Hilmersson wrote: >> >> Thanks alot Jesus, >> >> did solve it by creating two local rules one for rule 5715 matching the >> srcip, >> and one rule to match the hostname to ignore the 5501. >> >> Kind regards, >> Fredrik >> >> Den tisdag 20 juni 2017 kl. 14:09:39 UTC+2 skrev Jesus Linares: >>> >>> Hi Fredrik, >>> >>> when you create a new ssh connection, the following alerts are generated: >>> >>> ** Alert 1497960059.10786: - >>> syslog,sshd,authentication_success,pci_dss_10.2.5,2017 Jun 20 12:00:59 >>> ip-10-0-0-10->/var/log/auth.log >>> Rule: *5715 *(level 3) -> 'sshd: authentication success.'*Src IP: >>> 10.10.10.10* >>> User: root >>> Jun 20 12:00:58 ip-10-0-0-10 sshd[2266]: Accepted publickey for root from >>> 10.10.10.10 port 54950 ssh2: RSA >>> 2d:b0:79:60:11:11:1c:b3:09:a4:1d:87:28:f2:64:11 >>> ** Alert 1497960059.11162: - >>> pam,syslog,authentication_success,pci_dss_10.2.5,2017 Jun 20 12:00:59 >>> ip-10-0-0-10->/var/log/auth.log >>> Rule: *5501 *(level 3) -> 'PAM: Login session opened.' >>> User: root >>> Jun 20 12:00:58 ip-10-0-0-10 sshd[2266]: pam_unix(sshd:session): session >>> opened for user root by (uid=0) >>> uid: 0 >>> ** Alert 1497960059.11471: - >>> syslog,sshd,authentication_success,pci_dss_10.2.5,2017 Jun 20 12:00:59 >>> ip-10-0-0-10->/var/log/auth.log >>> Rule: 5715 (level 3) -> 'sshd: authentication success.'*Src IP: 10.10.10.10* >>> User: root >>> Jun 20 12:00:58 ip-10-0-0-10 sshd[2268]: Accepted publickey for root from >>> 10.10.10.10 port 54953 ssh2: RSA >>> 2d:b0:79:60:11:11:1c:b3:09:a4:1d:87:28:f2:64:11 >>> ** Alert 1497960059.11847: - >>> pam,syslog,authentication_success,pci_dss_10.2.5,2017 Jun 20 12:00:59 >>> ip-10-0-0-10->/var/log/auth.log >>> Rule: *5501 *(level 3) -> 'PAM: Login session opened.' >>> User: root >>> Jun 20 12:00:58 ip-10-0-0-10 sshd[2268]: pam_unix(sshd:session): session >>> opened for user root by (uid=0) >>> uid: 0 >>> >>> >>> >>> As you can see, the alerts 5501 don't have *srcip*. For that reason >>> your rule is not working. You can use *if_group* *sshd *in order to >>> ignore: all ssh alerts with your IP (*if the IP is extracted as srcip*). >>> >>> I hope it helps. >>> >>> >>> On Tuesday, June 20, 2017 at 1:53:41 PM UTC+2, Fredrik Hilmersson wrote: >>>> >>>> Hey Jesus, >>>> >>>> I'm only overwriting rule 5501 to increase its alert level to 7 (as I >>>> test to use only send alert if 7 or < ). >>>> >>>> I did test the following: >>>> >>>> <rule id="100200" level="0"> >>>> >>>> <if_sid>5501</if_sid> >>>> >>>> <srcip>Remote IP</srcip> >>>> >>>> <description>Ignoring host remote IP</description> >>>> >>>> </rule> >>>> >>>> also: >>>> >>>> <rule id="100200" level="0"> >>>> >>>> <if_sid>5501</if_sid> >>>> >>>> <srcip>Remote IP</srcip> >>>> <options>no_email_alert</options> >>>> >>>> <description>Ignoring host remote IP</description> >>>> >>>> </rule> >>>> >>>> However, I still get alerts sent to me when connecting to any ossec >>>> agent through that remote host. >>>> >>>> Den måndag 19 juni 2017 kl. 16:27:47 UTC+2 skrev Jesus Linares: >>>>> >>>>> Your second rule is ignoring only alerts with level 2 and with your >>>>> IP. I think you could use *if_sid*. >>>>> >>>>> Why are you overwriting the rule 5501?. >>>>> >>>>> Regards. >>>>> >>>>> >>>>> >>>>> On Monday, June 19, 2017 at 12:00:29 PM UTC+2, Fredrik Hilmersson >>>>> wrote: >>>>>> >>>>>> Hello, >>>>>> >>>>>> So I got the following custom rule on the ossec server: >>>>>> >>>>>> <rule id="5501" level="7" overwrite="yes"> >>>>>> >>>>>> <if_sid>5500</if_sid> >>>>>> >>>>>> <match>session opened for user </match> >>>>>> >>>>>> <description>Login session opened.</description> >>>>>> >>>>>> <group>authentication_success,</group> >>>>>> >>>>>> </rule> >>>>>> >>>>>> Then afterwards I use the local rule on the ossec server to avoid >>>>>> alert spam from a specific IP: >>>>>> >>>>>> <rule id="110000" level="0"> >>>>>> >>>>>> <if_level>2</if_level> >>>>>> >>>>>> <srcip>MYIP</srcip> >>>>>> >>>>>> <description>Ignoring ip MYIP</description> >>>>>> >>>>>> </rule> >>>>>> >>>>>> I tried with <match></match> instead of srcip but without success, >>>>>> the ossec agents still generate alerts to my ossec server when >>>>>> connecting >>>>>> from MYIP. >>>>>> >>>>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
