Whitelisting the scanner doesn't solve the problem, because someone
else might inadvertently scan one system and cause AR to fire on a
completely different system where it shouldn't have fired.
I basically just want AR to fire for a specific group of machines
whenever a certain alert gets tripped on only those machines.
I think I figured it out either way though. This appears to do the
job:
<rule id="5722" level="5">
<if_sid>5710</if_sid>
<hostname>ssh1|ssh2<hostname>
<match>illegal user|invalid user</match>
<description>Attempt to login using a non-existent user</
description>
<group>invalid_login,authentication_failed,</group>
</rule>
<rule id="5723" level="10" frequency="10" timeframe="120">
<if_matched_sid>5722</if_matched_sid>
<description>SSHD brute force trying to get access to </
description>
<description>the system.</description>
<same_source_ip />
<group>authentication_failures,</group>
</rule>
On Mar 3, 1:32 pm, satish patel <[email protected]> wrote:
> I'd say use whitelist. and add your scannser IP in whitelist
>
> I have same issue and and i guess that is only option we have.
>
> On Thu, Mar 3, 2011 at 4:21 PM, jplee3 <[email protected]> wrote:
> > Hey guys,
>
> > So I noticed this while running an internal Nessus scan on the
> > network. Apparently AR kicked in because certain rules fired (5712 to
> > be exact) which are not host-specific and ended up null-routing the
> > Nessus scanner machine on the defined-agents I have setup for AR.
>
> > Anyway, I just came across this
> > -http://www.ossec.net/wiki/Know_How:Ignore_Rules
>
> > Can I add multiple hostnames delimited by "," or "|" so that the rules
> > (and subsequently the ARs) will fire only on the hosts of origin?
>
> > I would use "local" but I want AR to occur on a subset of my agents
> > (not all of them).
>
> > Unless there's another way to do this.
>
> > Any ideas?
>
>
