But that will stop alerts from all the server right? I have just added 2 more servers as ossec clients. Same problem..
As they are weblogic servers they all the time, I mean literally every second, connect the other node by ssh and check the health of the server. The on the alert log I see 3 messages for every time they log on to each other. SIDS 5502/5501/5715 There are really no ways to do it? I mean we are basically talking about: If user a enters from host b do not alert me. Any suggestions? Özgür Özdemircili http://www.acikkod.org Code so clean you could eat off it On Mon, Mar 22, 2010 at 7:11 PM, dan (ddp) <[email protected]> wrote: > I can't think of a great way off hand. For the rule 5501 alert in your > message you could either not alert on that rule at all or not alert on > it for that user. > > The following will be a level 0, require the message to be decoded as > "pam", and that the program be "sshd." With a little decoder/rule work > it could be better. > <rule id="110194" level="0"> > <if_sid>5501</if_sid> > <decoded_as>pam</decoded_as> > <program_name>sshd</program_name> > <match>session opened for user</match> > <description>XXX</description> > </rule> > > And you could do something similar for Rule 5502 alerts. > > On Mon, Mar 22, 2010 at 12:03 PM, Ozgur Ozdemircili > <[email protected]> wrote: > > Hi, > > I actually have realized I had a rule to omit the ip addresses in > > local_rules.xml. Now the ip also seems to be written on the output. > > This are the logs generated when I login: > > 1-) > > 2010 Mar 22 16:49:15 Rule Id: 5502 level: 3 > > Location: (server) yyyy->/var/log/secure > > Login session closed. > > Mar 22 16:49:08 server sshd[8376]: pam_unix(sshd:session): session closed > > for user xxxx > > 2-) > > 2010 Mar 22 16:49:13 Rule Id: 5501 level: 3 > > Location: (b1-server) yyyy->/var/log/secure > > Login session opened. > > Mar 22 16:49:06 B1-server sshd[8376]: pam_unix(sshd:session): session > opened > > for user xxxx by (uid=0) > > 3-) > > 2010 Mar 22 16:49:13 Rule Id: 5715 level: 3 > > Location: (b1-server) yyyy->/var/log/secure > > Src IP: myipno > > SSHD authentication success. > > Mar 22 16:49:06 server sshd[8376]: Accepted password for systems from > myipno > > port 45539 ssh2 > > > > I have added the rule that Wim suggested it it DOES stop the alert number > 3 > > from appearing but I still get the first 2 alerts. > > How can I stop these 3 all together if I enter from server with ip yyyy? > > > > Thanks. > > Özgür Özdemircili > > http://www.acikkod.org > > Code so clean you could eat off it > > > > > > To unsubscribe from this group, send email to ossec-list+ > unsubscribegooglegroups.com or reply to this email with the words "REMOVE > ME" as the subject. > To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
