In addition, as mentioned in the OP... I have this rule:
<rule id="100029" level="0"> <if_sid>5712</if_sid> <hostname>sloth</hostname> <hostname>lmp-a</hostname> <hostname>lmp-b</hostname> <description>Ignoring "SSHD brute force trying to get access to the system."</description> </rule> And still get this alert: Received From: (sloth.xxx.xxx) xxx.xxx.143.180->/var/log/auth.log Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system." Portion of the log(s): Am I doing something wrong? On Mar 30, 4:19 pm, Mark C <[email protected]> wrote: > Daniel, > > I'm not sure I understand exactly how to use <stats> based > onhttp://www.ossec.net/main/manual/configuration-options/#global_options > , but I see that <stats> is in the global section. I only want to > ignore rule #11 ("Excessive number of events (above normal).") if it's > triggered by a single specific log file - in this case, maillog. I > want all log files except maillog to be able to trigger this. > > On Mar 30, 2:30 pm, Daniel Cid <[email protected]> wrote: > > > Hi Mark, > > > This event #11 is a bit special, since it is created internally and we > > don't have a rule for it. The way > > to ignore those is by setting the <stats> flag in the ossec.conf. If > > you change it to 0, these events > > will be ignored. > > > Thanks, > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > On Mon, Mar 30, 2009 at 11:01 AM, Mark C <[email protected]> wrote: > > > > Hi all, > > > > Sorry to respond to me own post but this problem is really bugging > > > me. Could someone at least show me the rule you use to ignore rule > > > #11? ("Excessive number of events (above normal).") > > > > On Mar 25, 8:37 am, Mark C <[email protected]> wrote: > > >> Hi all, > > > >> I'm fairly new to OSSEC but I think I understand how to create rules > > >> to ignore certain rules. I have > > >> readhttp://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules > > > >> Here are 2 rules I'm having a problem with. > > > >> Received From: (jack-3.xxx.xxx) xxx.xxx.150.168->/var/log/maillog > > >> Rule: 11 fired (level 8) -> "Excessive number of events (above > > >> normal)." > > >> Portion of the log(s): > > > >> The average number of logs between 19:00 and 20:00 is 15678. We > > >> reached 20383. > > > >> So, I add the below into /var/ossec/rules/local_rules.xml on the > > >> server, and restart OSSEC on the server: > > > >> <rule id="100028" level="0"> > > >> <if_sid>11</if_sid> > > >> <hostname>jack-3</hostname> > > >> <description>Ignoring</description> > > >> </rule> > > > >> When OSSEC starts, I get this error: > > > >> Starting OSSEC HIDS v2.0 (by Third Brigade, Inc.)... > > >> 2009/03/24 15:11:24 rules_list: Signature ID '11' not found. Invalid > > >> 'if_sid'. > > >> ossec-analysisd: Configuration error. Exiting > > > >> I have many rules very similar to this - is something wrong with my > > >> syntax? > > > >> The 2nd rule I'm having a problem matching is this: > > > >> Received From: (sloth.xxx.xxx) xxx.xxx.143.180->/var/log/auth.log > > >> Rule: 5551 fired (level 10) -> "Multiple failed logins in a small > > >> period of time." > > >> Portion of the log(s): > > > >> Mar 25 06:27:15 sloth sshd[5896]: (pam_unix) authentication failure; > > >> logname= uid=0 euid=0 tty=ssh ruser= rhost=gw.digitalsheep.co.jp > > >> user=root > > > >> <rule id="100017" level="0"> > > >> <if_sid>5551,5720,5712,5703</if_sid> > > >> <hostname>sloth</hostname> > > >> <description>Ignoring ssh brute force attacks</description> > > >> </rule> > > > >> I don't get an error with this one, but I still receive alerts. > > > >> The dozens of other rules I have work as expected, so I'm at a > > >> complete loss here. "sloth" is also not the only agent I have > > >> problems with. sloth is on Ubuntu, and I have some other clients with > > >> similar issues on CentOS. > > > >> Any help is appreciated! :)
