Hi, I still seem to get the same messages: 2010 Mar 22 10:08:15 Rule Id: 5502<http://www.ossec.net/wiki/index.php/Rule:5502> level: 3 Location: (server) yyyy->/var/log/secure Login session closed. Mar 22 10:08:13 server sshd[5060]: pam_unix(sshd:session): session closed for user xxxx
2010 Mar 22 10:08:15 Rule Id: 5501<http://www.ossec.net/wiki/index.php/Rule:5501> level: 3 Location: (server) 94.125.143.164->/var/log/secure Login session opened. Mar 22 10:08:13 server sshd[5060]: pam_unix(sshd:session): session opened for user xxxx by (uid=0) 2010 Mar 22 10:08:13 Rule Id: 5502<http://www.ossec.net/wiki/index.php/Rule:5502> level: 3 Location: (server) yyyy->/var/log/secure Login session closed. Mar 22 10:08:13 server sshd[5034]: pam_unix(sshd:session): session closed for user xxxx 2010 Mar 22 10:08:13 Rule Id: 5501<http://www.ossec.net/wiki/index.php/Rule:5501> level: 3 Location: (server) yyyy->/var/log/secure Login session opened. Mar 22 10:08:13 server sshd[5034]: pam_unix(sshd:session): session opened for user xxxx by (uid=0) I need somehow not to receive alerts if the user xxx is conecting from ip yyyy. Can be done? Thanks Özgür Özdemircili http://www.acikkod.org Code so clean you could eat off it On Wed, Mar 17, 2010 at 9:48 PM, Wim Remes <[email protected]> wrote: > Ozgur, > > this ruletree should get you there if I understood your question correctly > : > > <rule id="100105" level="3"> > <if_level>3</if_level> > <user>xxxx</user> > <description>Ignoring user xxxx</description> > </rule> > > <rule id="100107" level="0"> > <if_sid>100105</if_sid> > <srcip>yyyy</srcip> > <description>ignoring user xxxx from host yyyy</description> > </rule> > > KR, > W > > On 17 Mar 2010, at 16:39, Ozgur Ozdemircili wrote: > > Hi, > > As a part of our monitorization system we have a monitorization server > that is accessing the servers using xxxx user.Every minute this users are > entering the servers and checking the system healh. Until here everything > ok. > As a part of cleaning the alerts Im receiving from ossec I added the > following parameters to local_rules.xml, which ignores user xxxx and ip > yyyy. > > --- Ignore user xxxx -- > > <group name="local"> > <rule id="100105" level="0"> > <if_level>3</if_level> > <user>xxxx</user> > <description>Ignoring user xxxx</description> > </rule> > > > <rule id="100106" level="0"> > <if_level>3</if_level> > <match>xxxx</match> > <description>Ignoring user xxxx</description> > </rule> > </group> > > > -- Ignore ip yyyy -- > > <group name="local"> > <rule id="100107" level="0"> > <if_level>3</if_level> > <srcip>yyyy</srcip> > <description>yyyy</description> > </rule> > > > <rule id="100108" level="0"> > <if_level>3</if_level> > <match>yyyy</match> > <description>yyyy</description> > </rule> > </group> > > > That working just fine. Now the question is. How can I ignore alerts IF the > xxxx user is accessing from yyyy host ONLY! In other words if someone from > different ip users xxxx user to enter the servers, I want to get alerts. > > Hope it was informative enough. > > Thanks > > > > Özgür Özdemircili > http://www.acikkod.org > Code so clean you could eat off it > > > To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
