Hi Daniel, That was the solution. Now I don`t receive no alerts when they log on to each, BUT when I log in from another host using beauser I DO receive the alert.
Thank you. Özgür Özdemircili http://www.acikkod.org Code so clean you could eat off it On Tue, Apr 6, 2010 at 8:21 PM, Daniel Cid <[email protected]> wrote: > Hey, > > If I am understanding it properly, it should be simple to do. > > First, you need to ignore the rules 5501 and 5502 on both servers > srv1,srv2 if the user name > is beauser. That rule should do it: > > <rule id="100501" level="0"> > <hostname>srv1|srv2</hostname> > <if_sid>5501, 5502</if_sid> > <match>user beauser</match> > </rule> > > For rule 5715, we also have the ip address, so we need two rules, one > per server: > > <rule id="100502" level="0"> > <hostname>srv1</hostname> > <if_sid>5715</if_sid> > <user>beauser</user> > <srcip>srv2ip</srcip> > </rule> > > <rule id="100503" level="0"> > <hostname>srv2</hostname> > <if_sid>5715</if_sid> > <user>beauser</user> > <srcip>srv1ip</srcip> > </rule> > > > That will ignore any login from srv1 to srv2 (and vice versa) using > user name beauser. > > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Wed, Mar 24, 2010 at 12:44 PM, Ozgur Ozdemircili > <[email protected]> wrote: > > Hi Daniel, > > Let`s clar a bit. It is actually very easy. I have 2 servers(srv1 and > srv2) > > that are accessing to each other through ssh every second with the user > > beauser. > > So when they enter I receive these 3 alerts 5501 5502 and 5715. > > I do not want to receive any alert when srv1 enters srv2 using user > beauser. > > I want to receive pam alerts for all other hosts as I use them to track > > users. > > So can be done in any way? > > P.S Dan come on, you re as much help as WIM. Im sure there are not so > much > > difference in our IQ`s since we are all clever enough to use OSSEC in > our > > servers? :) > > > > Özgür Özdemircili > > http://www.acikkod.org > > Code so clean you could eat off it > > > > > > On Wed, Mar 24, 2010 at 3:01 PM, Daniel Cid <[email protected]> > wrote: > >> > >> Hey, > >> > >> I am confused here to what is going on. When you log in, SSHD > >> generates it's own log with the IP address and PAM generates > >> another log without it. > >> > >> This is duplicated information that you probably don't need, so why > >> you don't ignore the PAM logs and keep only the ones > >> from SSHD? > >> > >> Ex: > >> <rule id="12345" level="0"> > >> <if_sid>5501</if_sid> > >> <program_name>sshd</program_name> > >> <description>Using only sshd logs</description> > >> <rule> > >> > >> Would that do what you want or did I completely missed what you are > >> trying to do? > >> > >> Thanks, > >> > >> -- > >> Daniel B. Cid > >> dcid ( at ) ossec.net > >> > >> > >> > >> > >> On Wed, Mar 24, 2010 at 9:37 AM, dan (ddp) <[email protected]> wrote: > >> > I understand what you're trying to accomplish, I just can't think of a > >> > way to do it. Wim's smarter than I am, hopefully he'll come up with a > >> > way. ;) > >> > If you all do come up with a way, please post it. It'll be > interesting. > >> > The problem I can't figure out how to get around is the fact the PAM > >> > alerts (5501/5502) do not contain the IP address. If those alerts do > >> > not contain the IP address, I don't think there is a way for ossec to > >> > know that they were triggered by events from that IP address. So we'd > >> > need some (probably non-trivial) correlation, or an ossec-psychicd > >> > (also non-trivial). > >> > Some kind of flowbit (from snort) type option might be useful in the > >> > future. If alert X is triggered, set a flowbit, alerts Y and Z can > >> > then check t hat bit to see if they should fire... > >> > > >> > On Wed, Mar 24, 2010 at 4:06 AM, Ozgur Ozdemircili > >> > <[email protected]> wrote: > >> >> Hi all, > >> >> Dan I think Wim has got the idea of what I am trying to accomplish > >> >> here. The > >> >> first log I have sent didnt have any ip as I had a modified the > >> >> localrules.xml. Now I have disables the rule and I can see the ip > >> >> coming up. > >> >> > >> >> The only thing is OSSEC should contain some kinda mechanism to stop > the > >> >> 3 > >> >> alerts sids: 5501 5502 5715 when I enter from a specific host with a > >> >> specific user. > >> >> This is really creating me a lot of, I mean a lot of alerts that I do > >> >> not > >> >> wish to see. > >> >> Any more ideas here? > >> >> Thanks a lot. > >> >> Özgür Özdemircili > >> >> http://www.acikkod.org > >> >> Code so clean you could eat off it > >> >> > >> >> > >> > > >> > To unsubscribe from this group, send email to > >> > ossec-list+unsubscribegooglegroups.com or reply to this email with > the words > >> > "REMOVE ME" as the subject. > >> > > >> > >> To unsubscribe from this group, send email to > >> ossec-list+unsubscribegooglegroups.com or reply to this email with the > words > >> "REMOVE ME" as the subject. > > > > To unsubscribe from this group, send email to > > ossec-list+unsubscribegooglegroups.com or reply to this email with the > words > > "REMOVE ME" as the subject. > > >
