Happy New Year Dimitri. White-listed hosts won't be affected by active-response.
You can write a rule to tune out this false positive. Firstly 31151 is fired when 31101 is triggered too many times, so you can write it against either. I would suggest to write it against 31101. Then you can either seek for some text like "rci_command" or since in your case you only want to bypass the rule for certain hosts you can use srcip. For example, in local_rules.xml: <rule id="131101" level="0"> <if_sid>31101</if_sid> <hostname>hingam</hostname> <match>rci_command</match> <srcip>72.93.103.87</srcip> <description>ignore 404 for rci_command for certain hosts</description> </rule> This says that if 31101 (404 error) is triggered on server hingam and matches rci_command and the source of the request was that IP address, set the event level to 0. Not all of these are required! Please consult documentation on srcip if you need to make it a range of hosts. HTH, Rick -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dimitri Yioulos Sent: Tuesday, January 06, 2009 4:30 PM To: [email protected] Subject: [ossec-list] Preventing locally triggered rule Importance: Low Hello to all, and a most Happy New Year! I'm not sure if the subject of my post is accurate, but here's what I'm after. Our Web server has been set up as a conduit by which to ping GPS devices via our business application. When any of our LAN hosts do a ping, I get the following notification from OH: OSSEC HIDS Notification. 2009 Jan 06 16:04:36 Received From: (hingham) 192.168.1.3->/etc/httpd/logs/access_log Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from same source ip." Portion of the log(s): 72.93.103.87 - - [06/Jan/2009:16:04:34 -0500] "GET /rci/rci_command_563.txt HTTP/1.1" 404 8611 "-" "PowerBuilder" 72.93.103.87 - - [06/Jan/2009:16:04:34 -0500] "GET /rci/rci_command_563.txt HTTP/1.1" 404 8611 "-" "PowerBuilder" 72.93.103.87 - - [06/Jan/2009:16:04:17 -0500] "GET /rci/rci_command_563.txt HTTP/1.1" 404 8611 "-" "PowerBuilder" 72.93.103.87 - - [06/Jan/2009:16:04:17 -0500] "GET /rci/rci_command_563.txt HTTP/1.1" 404 8611 "-" "PowerBuilder" 72.93.103.87 - - [06/Jan/2009:16:04:01 -0500] "GET /rci/rci_command_563.txt HTTP/1.1" 404 8611 "-" "PowerBuilder" 72.93.103.87 - - [06/Jan/2009:16:04:01 -0500] "GET /rci/rci_command_563.txt HTTP/1.1" 404 8611 "-" "PowerBuilder" 72.93.103.87 - - [06/Jan/2009:16:03:34 -0500] "GET /rci/rci_command_563.txt HTTP/1.1" 404 8611 "-" "PowerBuilder" 72.93.103.87 - - [06/Jan/2009:16:03:34 -0500] "GET /rci/rci_command_563.txt HTTP/1.1" 404 8611 "-" "PowerBuilder" 72.93.103.87 - - [06/Jan/2009:16:03:10 -0500] "GET /rci/rci_command_563.txt HTTP/1.1" 404 8611 "-" "PowerBuilder" 72.93.103.87 - - [06/Jan/2009:16:03:10 -0500] "GET /rci/rci_command_563.txt HTTP/1.1" 404 8611 "-" "PowerBuilder" --END OF NOTIFICATION I'd like to prevent the rule being triggered by our LAN hosts (or, at least, stop the notifications). I whitelisted various hosts in ossec.conf, but that didn't work (and I probably don't really get the true purpose of whitelisting, to boot). Can someone help me out? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. This message contains TMA Resources confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
