Hi, it's OSSEC so there must be a way. I'll look into this further and let you know.
Cheers, Wim On Tue, Mar 23, 2010 at 9:14 AM, Ozgur Ozdemircili <[email protected]> wrote: > But that will stop alerts from all the server right? > I have just added 2 more servers as ossec clients. Same problem.. > As they are weblogic servers they all the time, I mean literally every > second, connect the other node by ssh and check the health of the server. > The on the alert log I see 3 messages for every time they log on to each > other. SIDS 5502/5501/5715 > > There are really no ways to do it? I mean we are basically talking about: > If user a enters from host b do not alert me. > Any suggestions? > > Özgür Özdemircili > http://www.acikkod.org > Code so clean you could eat off it > > > On Mon, Mar 22, 2010 at 7:11 PM, dan (ddp) <[email protected]> wrote: >> >> I can't think of a great way off hand. For the rule 5501 alert in your >> message you could either not alert on that rule at all or not alert on >> it for that user. >> >> The following will be a level 0, require the message to be decoded as >> "pam", and that the program be "sshd." With a little decoder/rule work >> it could be better. >> <rule id="110194" level="0"> >> <if_sid>5501</if_sid> >> <decoded_as>pam</decoded_as> >> <program_name>sshd</program_name> >> <match>session opened for user</match> >> <description>XXX</description> >> </rule> >> >> And you could do something similar for Rule 5502 alerts. >> >> On Mon, Mar 22, 2010 at 12:03 PM, Ozgur Ozdemircili >> <[email protected]> wrote: >> > Hi, >> > I actually have realized I had a rule to omit the ip addresses in >> > local_rules.xml. Now the ip also seems to be written on the output. >> > This are the logs generated when I login: >> > 1-) >> > 2010 Mar 22 16:49:15 Rule Id: 5502 level: 3 >> > Location: (server) yyyy->/var/log/secure >> > Login session closed. >> > Mar 22 16:49:08 server sshd[8376]: pam_unix(sshd:session): session >> > closed >> > for user xxxx >> > 2-) >> > 2010 Mar 22 16:49:13 Rule Id: 5501 level: 3 >> > Location: (b1-server) yyyy->/var/log/secure >> > Login session opened. >> > Mar 22 16:49:06 B1-server sshd[8376]: pam_unix(sshd:session): session >> > opened >> > for user xxxx by (uid=0) >> > 3-) >> > 2010 Mar 22 16:49:13 Rule Id: 5715 level: 3 >> > Location: (b1-server) yyyy->/var/log/secure >> > Src IP: myipno >> > SSHD authentication success. >> > Mar 22 16:49:06 server sshd[8376]: Accepted password for systems from >> > myipno >> > port 45539 ssh2 >> > >> > I have added the rule that Wim suggested it it DOES stop the alert >> > number 3 >> > from appearing but I still get the first 2 alerts. >> > How can I stop these 3 all together if I enter from server with ip >> > yyyy? >> > >> > Thanks. >> > Özgür Özdemircili >> > http://www.acikkod.org >> > Code so clean you could eat off it >> > >> > >> >> To unsubscribe from this group, send email to >> ossec-list+unsubscribegooglegroups.com or reply to this email with the words >> "REMOVE ME" as the subject. > > To unsubscribe from this group, send email to > ossec-list+unsubscribegooglegroups.com or reply to this email with the words > "REMOVE ME" as the subject. > -- Wim Remes Security Afficionado To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
