Be careful using rule IDs in OSSEC ranges. 5722 and 5723 are already being used. ;)
On Thu, Mar 3, 2011 at 5:06 PM, jplee3 <[email protected]> wrote: > Whitelisting the scanner doesn't solve the problem, because someone > else might inadvertently scan one system and cause AR to fire on a > completely different system where it shouldn't have fired. > > I basically just want AR to fire for a specific group of machines > whenever a certain alert gets tripped on only those machines. > > I think I figured it out either way though. This appears to do the > job: > > <rule id="5722" level="5"> > <if_sid>5710</if_sid> > <hostname>ssh1|ssh2<hostname> > <match>illegal user|invalid user</match> > <description>Attempt to login using a non-existent user</ > description> > <group>invalid_login,authentication_failed,</group> > </rule> > > > <rule id="5723" level="10" frequency="10" timeframe="120"> > <if_matched_sid>5722</if_matched_sid> > <description>SSHD brute force trying to get access to </ > description> > <description>the system.</description> > <same_source_ip /> > <group>authentication_failures,</group> > </rule> > > > > > > On Mar 3, 1:32 pm, satish patel <[email protected]> wrote: >> I'd say use whitelist. and add your scannser IP in whitelist >> >> I have same issue and and i guess that is only option we have. >> >> On Thu, Mar 3, 2011 at 4:21 PM, jplee3 <[email protected]> wrote: >> > Hey guys, >> >> > So I noticed this while running an internal Nessus scan on the >> > network. Apparently AR kicked in because certain rules fired (5712 to >> > be exact) which are not host-specific and ended up null-routing the >> > Nessus scanner machine on the defined-agents I have setup for AR. >> >> > Anyway, I just came across this >> > -http://www.ossec.net/wiki/Know_How:Ignore_Rules >> >> > Can I add multiple hostnames delimited by "," or "|" so that the rules >> > (and subsequently the ARs) will fire only on the hosts of origin? >> >> > I would use "local" but I want AR to occur on a subset of my agents >> > (not all of them). >> >> > Unless there's another way to do this. >> >> > Any ideas? >> >>
