I understand what you're trying to accomplish, I just can't think of a way to do it. Wim's smarter than I am, hopefully he'll come up with a way. ;) If you all do come up with a way, please post it. It'll be interesting. The problem I can't figure out how to get around is the fact the PAM alerts (5501/5502) do not contain the IP address. If those alerts do not contain the IP address, I don't think there is a way for ossec to know that they were triggered by events from that IP address. So we'd need some (probably non-trivial) correlation, or an ossec-psychicd (also non-trivial). Some kind of flowbit (from snort) type option might be useful in the future. If alert X is triggered, set a flowbit, alerts Y and Z can then check t hat bit to see if they should fire...
On Wed, Mar 24, 2010 at 4:06 AM, Ozgur Ozdemircili <[email protected]> wrote: > Hi all, > Dan I think Wim has got the idea of what I am trying to accomplish here. The > first log I have sent didnt have any ip as I had a modified the > localrules.xml. Now I have disables the rule and I can see the ip coming up. > > The only thing is OSSEC should contain some kinda mechanism to stop the 3 > alerts sids: 5501 5502 5715 when I enter from a specific host with a > specific user. > This is really creating me a lot of, I mean a lot of alerts that I do not > wish to see. > Any more ideas here? > Thanks a lot. > Özgür Özdemircili > http://www.acikkod.org > Code so clean you could eat off it > > To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
