Hi, Thanks a lot for the offers. There are 2 messages that are generated when that happens. Here's an example of the messages below:
sshd[25624]: error: channel_setup_fwd_listener: cannot listen to port: sshd[25624]: error: bind: Address already in use The only thing that changes is the PID of the SSHd. Thanks again, Steve Johnson Daniel Cid wrote: > Hi Steve, > > A lot of people have problems finding stuff on our wiki, but we plan to keep > improving it (and any help is welcome). As Michael said, you can send the log > entries to the list so we can help you out or you use the following documents > from our FAQ: > > http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules > http://www.ossec.net/wiki/index.php/Know_How:CorrelateSnort > > Also, my presentation at AusCERT/Confidence can be of help too: > > http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf > > Hope it helps, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > On 6/21/07, Steve Johnson <[EMAIL PROTECTED]> wrote: > >> Hi, >> >> There is a syslog message that triggers rule 1002 for syslog, which is >> about alerting on certain keyword. The message happens when we try to >> set an ssh tunnel when the port has already been used by someone else >> and has the keyword "error" generated by sshd. I don't want to remove >> the keyword from rule 1002 or even less ignore the rule completely, but >> I was wondering if there was a way to whitelist certain specific syslog >> messages? I could not find the information in the wiki, so I hope I >> didn't just overlook it :-) >> >> Thanks, >> Steve Johnson >> >>
