Hi Mark, This event #11 is a bit special, since it is created internally and we don't have a rule for it. The way to ignore those is by setting the <stats> flag in the ossec.conf. If you change it to 0, these events will be ignored.
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Mar 30, 2009 at 11:01 AM, Mark C <[email protected]> wrote: > > Hi all, > > Sorry to respond to me own post but this problem is really bugging > me. Could someone at least show me the rule you use to ignore rule > #11? ("Excessive number of events (above normal).") > > On Mar 25, 8:37 am, Mark C <[email protected]> wrote: >> Hi all, >> >> I'm fairly new to OSSEC but I think I understand how to create rules >> to ignore certain rules. I have >> readhttp://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules >> >> Here are 2 rules I'm having a problem with. >> >> Received From: (jack-3.xxx.xxx) xxx.xxx.150.168->/var/log/maillog >> Rule: 11 fired (level 8) -> "Excessive number of events (above >> normal)." >> Portion of the log(s): >> >> The average number of logs between 19:00 and 20:00 is 15678. We >> reached 20383. >> >> So, I add the below into /var/ossec/rules/local_rules.xml on the >> server, and restart OSSEC on the server: >> >> <rule id="100028" level="0"> >> <if_sid>11</if_sid> >> <hostname>jack-3</hostname> >> <description>Ignoring</description> >> </rule> >> >> When OSSEC starts, I get this error: >> >> Starting OSSEC HIDS v2.0 (by Third Brigade, Inc.)... >> 2009/03/24 15:11:24 rules_list: Signature ID '11' not found. Invalid >> 'if_sid'. >> ossec-analysisd: Configuration error. Exiting >> >> I have many rules very similar to this - is something wrong with my >> syntax? >> >> The 2nd rule I'm having a problem matching is this: >> >> Received From: (sloth.xxx.xxx) xxx.xxx.143.180->/var/log/auth.log >> Rule: 5551 fired (level 10) -> "Multiple failed logins in a small >> period of time." >> Portion of the log(s): >> >> Mar 25 06:27:15 sloth sshd[5896]: (pam_unix) authentication failure; >> logname= uid=0 euid=0 tty=ssh ruser= rhost=gw.digitalsheep.co.jp >> user=root >> >> <rule id="100017" level="0"> >> <if_sid>5551,5720,5712,5703</if_sid> >> <hostname>sloth</hostname> >> <description>Ignoring ssh brute force attacks</description> >> </rule> >> >> I don't get an error with this one, but I still receive alerts. >> >> The dozens of other rules I have work as expected, so I'm at a >> complete loss here. "sloth" is also not the only agent I have >> problems with. sloth is on Ubuntu, and I have some other clients with >> similar issues on CentOS. >> >> Any help is appreciated! :) >
