Hey Mark, If the IP is not being decoded, you need to use the "match" tag instead of "srcip". You may also want to use "if_level" to determine when to check for your rule.
Take a look at the following entry in our FAQ (should help): http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules#Ignoring_a_specific_IP Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Nov 29, 2007 10:09 AM, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Hello, > > I have just started testing ossec for my work environment and I am > trying to ignore our vulnerability scanner. Unfortunately, I am still > getting alerts regarding this host. Below is the rule i am using in > local_rules.xml and the logs I am monitoring in ossec.conf. The > entries in the alerts.log and then the actual log message from syslog. > > It looks like the decoder is not getting the srcip from the message. > Am I missing something? > > Thanks in advance. > Mark > > conf files -- > > local_rules.xml > <group name="local"> > <rule id="100101" level="0"> > <srcip>10.100.25.188</srcip> > <description>Ignoring Vulnerability Scanner</description> > </rule> > </group> > > ossec.conf > <localfile> > <log_format>syslog</log_format> > <location>/var/log/messages</location> > </localfile> > <localfile> > <log_format>syslog</log_format> > <location>/var/log/maint.log</location> > </localfile> > <localfile> > <log_format>syslog</log_format> > <location>/var/log/mail.info</location> > </localfile> > <localfile> > <log_format>apache</log_format> > <location>/usr/local/httpd/logs/error_log</location> > </localfile> > <localfile> > <log_format>apache</log_format> > <location>/usr/local/httpd/logs/access_log</location> > </localfile> > > --- > alerts.log > > ** Alert 1196343759.233092: - syslog,sshd,recon, > 2007 Nov 29 08:42:39 server-ws03->/var/log/messages > Rule: 5706 (level 6) -> 'SSH insecure connection attempt (scan).' > Src IP: (none) > User: (none) > Nov 29 08:42:39 server-ws03 sshd[5035]: Did not receive identification > string from 10.100.25.188 > > ** Alert 1196343761.233390: mail - syslog,sshd, > 2007 Nov 29 08:42:41 server-ws03->/var/log/messages > Rule: 5701 (level 8) -> 'Possible attack on the ssh server (or version > gathering).' > Src IP: (none) > User: (none) > Nov 29 08:42:39 server-ws03 sshd[5036]: Bad protocol version > identification 'QUIT' from 10.100.25.188 > > --- > syslog message > > Nov 29 08:42:39 server-ws03 sshd[5035]: Did not receive identification > string from 10.100.25.188 > Nov 29 08:42:39 server-ws03 sshd[5036]: Bad protocol version > identification 'QUIT' from 10.100.25.188 >
