Hi Daniel, Let`s clar a bit. It is actually very easy. I have 2 servers(srv1 and srv2) that are accessing to each other through ssh every second with the user beauser.
So when they enter I receive these 3 alerts 5501 5502 and 5715. I do not want to receive any alert when srv1 enters srv2 using user beauser. I want to receive pam alerts for all other hosts as I use them to track users. So can be done in any way? P.S Dan come on, you re as much help as WIM. Im sure there are not so much difference in our IQ`s since we are all clever enough to use OSSEC in our servers? :) Özgür Özdemircili http://www.acikkod.org Code so clean you could eat off it On Wed, Mar 24, 2010 at 3:01 PM, Daniel Cid <[email protected]> wrote: > Hey, > > I am confused here to what is going on. When you log in, SSHD > generates it's own log with the IP address and PAM generates > another log without it. > > This is duplicated information that you probably don't need, so why > you don't ignore the PAM logs and keep only the ones > from SSHD? > > Ex: > <rule id="12345" level="0"> > <if_sid>5501</if_sid> > <program_name>sshd</program_name> > <description>Using only sshd logs</description> > <rule> > > Would that do what you want or did I completely missed what you are > trying to do? > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > > On Wed, Mar 24, 2010 at 9:37 AM, dan (ddp) <[email protected]> wrote: > > I understand what you're trying to accomplish, I just can't think of a > > way to do it. Wim's smarter than I am, hopefully he'll come up with a > > way. ;) > > If you all do come up with a way, please post it. It'll be interesting. > > The problem I can't figure out how to get around is the fact the PAM > > alerts (5501/5502) do not contain the IP address. If those alerts do > > not contain the IP address, I don't think there is a way for ossec to > > know that they were triggered by events from that IP address. So we'd > > need some (probably non-trivial) correlation, or an ossec-psychicd > > (also non-trivial). > > Some kind of flowbit (from snort) type option might be useful in the > > future. If alert X is triggered, set a flowbit, alerts Y and Z can > > then check t hat bit to see if they should fire... > > > > On Wed, Mar 24, 2010 at 4:06 AM, Ozgur Ozdemircili > > <[email protected]> wrote: > >> Hi all, > >> Dan I think Wim has got the idea of what I am trying to accomplish here. > The > >> first log I have sent didnt have any ip as I had a modified the > >> localrules.xml. Now I have disables the rule and I can see the ip coming > up. > >> > >> The only thing is OSSEC should contain some kinda mechanism to stop the > 3 > >> alerts sids: 5501 5502 5715 when I enter from a specific host with a > >> specific user. > >> This is really creating me a lot of, I mean a lot of alerts that I do > not > >> wish to see. > >> Any more ideas here? > >> Thanks a lot. > >> Özgür Özdemircili > >> http://www.acikkod.org > >> Code so clean you could eat off it > >> > >> > > > > To unsubscribe from this group, send email to ossec-list+ > unsubscribegooglegroups.com or reply to this email with the words "REMOVE > ME" as the subject. > > > > To unsubscribe from this group, send email to ossec-list+ > unsubscribegooglegroups.com or reply to this email with the words "REMOVE > ME" as the subject. > To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
