[ossec-list] Re: how to disable email alerts for specific rule with active response

Wed, 14 May 2008 06:48:14 -0700 

Hi Daniel and Peter,

thanks for your quick response, it's solved. Now i understand my mistake
with overwriting rule. I decide to try Daniel suggestion, because is
IMHO simplest. With configuration bellow I can confirm that's this is
working like a charm ;-)  

Thank you very much.


Peter

PS: My email alert notification is set to level 7, so i decide to
overwrite this rule to level 6.

----
ossec.conf:

<!-- SSHD brute force trying to get access to the system -->
  <active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <rules_id>100161</rules_id>
    <timeout>240</timeout>
  </active-response>
...

local_rules.xml:

 <rule id="100161" level="6">
   <if_sid>5712</if_sid>
   <description>Disable email notify for rule id 5712: SSHD brute force
trying to get access to the system</description>
 </rule>
...



On Tue, 2008-05-13 at 15:00 -0300, Daniel Cid wrote:

> Hi Peter,
> 
> Very good suggestion. Plus, the reason why it is not working is
> because the rule 5712 is never
> firing, since you have a local rule (100160) overwriting it...
> 
> You will need to change your active response config to be:
> 
>  <active-response>
>    <command>firewall-drop</command>
>    <location>local</location>
>    <rules_id>100160</rules_id>
>    <timeout>240</timeout>
>  </active-response>
> 
> 
> Thanks,
> 
> 
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
> 
> 
> On Tue, May 13, 2008 at 12:37 PM, Peter M. Abraham
> <[EMAIL PROTECTED]> wrote:
> >
> >  Greetings Peter:
> >
> >  If all you are doing is taking the same rule but wanting to change the
> >  level to avoid notification, then copy the rule to local_rules.xml and
> >  use the
> >  overwrite="yes" option.
> >
> >  Example:
> >
> >  <group name="syslog,vpopmail,">
> >   <rule id="9951" level="10" frequency="20" timeframe="60"
> >  overwrite="yes">
> >     <if_matched_sid>9901</if_matched_sid>
> >     <same_source_ip />
> >     <description>POP3 brute force (multiple failed logins).</
> >  description>
> >     <group>authentication_failures,</group>
> >   </rule>
> >
> >   <rule id="9952" level="10" frequency="20" timeframe="60"
> >  overwrite="yes">
> >     <if_matched_sid>9902</if_matched_sid>
> >     <same_source_ip />
> >     <description>POP3 brute force (email harvesting).</description>
> >     <group>authentication_failures,</group>
> >   </rule>
> >  </group>
> >
> >  Then restart ossec.
> >
> >  Thank you.
> >

<<inline: stock_smiley-3.png>>

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to