Has anybody found any solution to this? Could you please port your thoughts?
Thank you. Özgür Özdemircili http://www.acikkod.org Code so clean you could eat off it On Wed, Mar 24, 2010 at 4:44 PM, Ozgur Ozdemircili < [email protected]> wrote: > Hi Daniel, > > Let`s clar a bit. It is actually very easy. I have 2 servers(srv1 and srv2) > that are accessing to each other through ssh every second with the user > beauser. > > So when they enter I receive these 3 alerts 5501 5502 and 5715. > > I do not want to receive any alert when srv1 enters srv2 using user > beauser. > > I want to receive pam alerts for all other hosts as I use them to track > users. > > So can be done in any way? > > P.S Dan come on, you re as much help as WIM. Im sure there are not so much > difference in our IQ`s since we are all clever enough to use OSSEC in our > servers? :) > > > Özgür Özdemircili > http://www.acikkod.org > Code so clean you could eat off it > > > On Wed, Mar 24, 2010 at 3:01 PM, Daniel Cid <[email protected]> wrote: > >> Hey, >> >> I am confused here to what is going on. When you log in, SSHD >> generates it's own log with the IP address and PAM generates >> another log without it. >> >> This is duplicated information that you probably don't need, so why >> you don't ignore the PAM logs and keep only the ones >> from SSHD? >> >> Ex: >> <rule id="12345" level="0"> >> <if_sid>5501</if_sid> >> <program_name>sshd</program_name> >> <description>Using only sshd logs</description> >> <rule> >> >> Would that do what you want or did I completely missed what you are >> trying to do? >> >> Thanks, >> >> -- >> Daniel B. Cid >> dcid ( at ) ossec.net >> >> >> >> >> On Wed, Mar 24, 2010 at 9:37 AM, dan (ddp) <[email protected]> wrote: >> > I understand what you're trying to accomplish, I just can't think of a >> > way to do it. Wim's smarter than I am, hopefully he'll come up with a >> > way. ;) >> > If you all do come up with a way, please post it. It'll be interesting. >> > The problem I can't figure out how to get around is the fact the PAM >> > alerts (5501/5502) do not contain the IP address. If those alerts do >> > not contain the IP address, I don't think there is a way for ossec to >> > know that they were triggered by events from that IP address. So we'd >> > need some (probably non-trivial) correlation, or an ossec-psychicd >> > (also non-trivial). >> > Some kind of flowbit (from snort) type option might be useful in the >> > future. If alert X is triggered, set a flowbit, alerts Y and Z can >> > then check t hat bit to see if they should fire... >> > >> > On Wed, Mar 24, 2010 at 4:06 AM, Ozgur Ozdemircili >> > <[email protected]> wrote: >> >> Hi all, >> >> Dan I think Wim has got the idea of what I am trying to accomplish >> here. The >> >> first log I have sent didnt have any ip as I had a modified the >> >> localrules.xml. Now I have disables the rule and I can see the ip >> coming up. >> >> >> >> The only thing is OSSEC should contain some kinda mechanism to stop the >> 3 >> >> alerts sids: 5501 5502 5715 when I enter from a specific host with a >> >> specific user. >> >> This is really creating me a lot of, I mean a lot of alerts that I do >> not >> >> wish to see. >> >> Any more ideas here? >> >> Thanks a lot. >> >> Özgür Özdemircili >> >> http://www.acikkod.org >> >> Code so clean you could eat off it >> >> >> >> >> > >> > To unsubscribe from this group, send email to ossec-list+ >> unsubscribegooglegroups.com or reply to this email with the words "REMOVE >> ME" as the subject. >> > >> >> To unsubscribe from this group, send email to ossec-list+ >> unsubscribegooglegroups.com or reply to this email with the words "REMOVE >> ME" as the subject. >> > > -- To unsubscribe, reply using "remove me" as the subject.
