Daniel, Thanks! I can't believe I missed that. I added that to the local_rules and it worked like a charm.
Have a great weekend! Thanks, Mark On Dec 6, 2007 9:07 PM, Daniel Cid <[EMAIL PROTECTED]> wrote: > > Hey Mark, > > If the IP is not being decoded, you need to use the "match" tag > instead of "srcip". You may also want to use "if_level" to determine > when to check for your rule. > > Take a look at the following entry in our FAQ (should help): > > http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules#Ignoring_a_specific_IP > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > On Nov 29, 2007 10:09 AM, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > Hello, > > > > I have just started testing ossec for my work environment and I am > > trying to ignore our vulnerability scanner. Unfortunately, I am still > > getting alerts regarding this host. Below is the rule i am using in > > local_rules.xml and the logs I am monitoring in ossec.conf. The > > entries in the alerts.log and then the actual log message from syslog. > > > > It looks like the decoder is not getting the srcip from the message. > > Am I missing something? > > > > Thanks in advance. > > Mark > > > > conf files -- > > > > local_rules.xml > > <group name="local"> > > <rule id="100101" level="0"> > > <srcip>10.100.25.188</srcip> > > <description>Ignoring Vulnerability Scanner</description> > > </rule> > > </group> > > > > ossec.conf > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/messages</location> > > </localfile> > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/maint.log</location> > > </localfile> > > <localfile> > > <log_format>syslog</log_format> > > <location>/var/log/mail.info</location> > > </localfile> > > <localfile> > > <log_format>apache</log_format> > > <location>/usr/local/httpd/logs/error_log</location> > > </localfile> > > <localfile> > > <log_format>apache</log_format> > > <location>/usr/local/httpd/logs/access_log</location> > > </localfile> > > > > --- > > alerts.log > > > > ** Alert 1196343759.233092: - syslog,sshd,recon, > > 2007 Nov 29 08:42:39 server-ws03->/var/log/messages > > Rule: 5706 (level 6) -> 'SSH insecure connection attempt (scan).' > > Src IP: (none) > > User: (none) > > Nov 29 08:42:39 server-ws03 sshd[5035]: Did not receive identification > > string from 10.100.25.188 > > > > ** Alert 1196343761.233390: mail - syslog,sshd, > > 2007 Nov 29 08:42:41 server-ws03->/var/log/messages > > Rule: 5701 (level 8) -> 'Possible attack on the ssh server (or version > > gathering).' > > Src IP: (none) > > User: (none) > > Nov 29 08:42:39 server-ws03 sshd[5036]: Bad protocol version > > identification 'QUIT' from 10.100.25.188 > > > > --- > > syslog message > > > > Nov 29 08:42:39 server-ws03 sshd[5035]: Did not receive identification > > string from 10.100.25.188 > > Nov 29 08:42:39 server-ws03 sshd[5036]: Bad protocol version > > identification 'QUIT' from 10.100.25.188 > > >
