Dan, Thanks. The "local_ip" setting appears to be what I need. I'll investigate further to see if inodes are the culprit for the syscheck issue.
Regarding item #3: One alert contains an IP address (the successful SSH session), but the other two alerts are from PAM and do NOT contain an IP address, making it difficult to create an exclusion rule with a level of 0. I didn't now if there was a way to say "if rule x hit within the last few seconds, and this event has criteria x and y, then use a level of 0". Hopefully that makes sense. Again, appreciate all of your help. On Wed, Sep 29, 2010 at 12:52 PM, dan (ddp) <[email protected]> wrote: > On Wed, Sep 29, 2010 at 12:21 PM, Chris Decker <[email protected]> > wrote: > > Ever helpful OSSEC list, > > > > I have three items I'm trying to figure out: > > > > How can I get the OSSEC server process to bind to a network interface of > my > > choosing? I'm guessing I can do something when compiling, but is there a > > parameter that can be changed to make this happen? I found an existing > > thread titled "How do you force the OSSEC agent to use a particular > network > > interface" but there was no conclusion. I use a software firewall but > would > > like to use defense in depth and not listen unnecessarily on an > interface. > > Look at the option "local_ip" on the following page: > http://www.ossec.net/doc/syntax/head_ossec_config.remote.html > > > I have syscheck watching /etc/hosts.allow in realtime with the new > > report_changes option. I modified this file (added a new line with a > > comment) and received an alert as expected. When I removed the comment I > > got another alert saying "File '/etc/hosts.allow' was deleted. Unable to > > retrieve checksum". I expected to just get another alert saying the > > checksum had changed. Can someone explain this to me? > > For some reason syscheck seems to think the file was deleted entirely. > Make sure the file is still there. > Here's a test, but I'm not entirely sure how worthwhile it is. Try the > following: > ls -li /etc/hosts.allow > EDIT /etc/hosts.allow just like you had done before (using the same > application), and hopefully receive an alert about it being modified > ls -li /etc/hosts.allow > EDIT /etc/hosts.allow to remove the previous edit (again, just like > you had done before) > ls -li /etc/hosts.allow > > I'm wondering if a change in inodes or something might be confusing > the system (I don't know enough about the inotify support to know if > this might be an issue). > > Also, do you have all of /etc setup for realtime alerts? You can't > setup individual files for realtime monitoring, just directories. > > > We use Nagios to periodically log-in to our servers (using SSH) to > retrieve > > status information on processes. Everytime this happens I get the > > successful SSH connection alert and 2 additional alerts related to > > PAM/login. Is there an easy way to surpress these alerts if they happen > all > > within a second of one another? > > > > > > As always, help is appreciated. > > > > > > > > > > Thanks, > > Chris > > Write a few rules to ignore those alerts from the nagios server IP. >
