I can't think of a great way off hand. For the rule 5501 alert in your
message you could either not alert on that rule at all or not alert on
it for that user.
The following will be a level 0, require the message to be decoded as
"pam", and that the program be "sshd." With a little decoder/rule work
it could be better.
<rule id="110194" level="0">
<if_sid>5501</if_sid>
<decoded_as>pam</decoded_as>
<program_name>sshd</program_name>
<match>session opened for user</match>
<description>XXX</description>
</rule>
And you could do something similar for Rule 5502 alerts.
On Mon, Mar 22, 2010 at 12:03 PM, Ozgur Ozdemircili
<[email protected]> wrote:
> Hi,
> I actually have realized I had a rule to omit the ip addresses in
> local_rules.xml. Now the ip also seems to be written on the output.
> This are the logs generated when I login:
> 1-)
> 2010 Mar 22 16:49:15 Rule Id: 5502 level: 3
> Location: (server) yyyy->/var/log/secure
> Login session closed.
> Mar 22 16:49:08 server sshd[8376]: pam_unix(sshd:session): session closed
> for user xxxx
> 2-)
> 2010 Mar 22 16:49:13 Rule Id: 5501 level: 3
> Location: (b1-server) yyyy->/var/log/secure
> Login session opened.
> Mar 22 16:49:06 B1-server sshd[8376]: pam_unix(sshd:session): session opened
> for user xxxx by (uid=0)
> 3-)
> 2010 Mar 22 16:49:13 Rule Id: 5715 level: 3
> Location: (b1-server) yyyy->/var/log/secure
> Src IP: myipno
> SSHD authentication success.
> Mar 22 16:49:06 server sshd[8376]: Accepted password for systems from myipno
> port 45539 ssh2
>
> I have added the rule that Wim suggested it it DOES stop the alert number 3
> from appearing but I still get the first 2 alerts.
> How can I stop these 3 all together if I enter from server with ip yyyy?
>
> Thanks.
> Özgür Özdemircili
> http://www.acikkod.org
> Code so clean you could eat off it
>
>
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
"REMOVE ME" as the subject.
