So where is the hack?
--
Sent from my iPhone
On Mar 3, 2011, at 5:06 PM, jplee3 <[email protected]> wrote:
Whitelisting the scanner doesn't solve the problem, because someone
else might inadvertently scan one system and cause AR to fire on a
completely different system where it shouldn't have fired.
I basically just want AR to fire for a specific group of machines
whenever a certain alert gets tripped on only those machines.
I think I figured it out either way though. This appears to do the
job:
<rule id="5722" level="5">
<if_sid>5710</if_sid>
<hostname>ssh1|ssh2<hostname>
<match>illegal user|invalid user</match>
<description>Attempt to login using a non-existent user</
description>
<group>invalid_login,authentication_failed,</group>
</rule>
<rule id="5723" level="10" frequency="10" timeframe="120">
<if_matched_sid>5722</if_matched_sid>
<description>SSHD brute force trying to get access to </
description>
<description>the system.</description>
<same_source_ip />
<group>authentication_failures,</group>
</rule>
On Mar 3, 1:32 pm, satish patel <[email protected]> wrote:
I'd say use whitelist. and add your scannser IP in whitelist
I have same issue and and i guess that is only option we have.
On Thu, Mar 3, 2011 at 4:21 PM, jplee3 <[email protected]> wrote:
Hey guys,
So I noticed this while running an internal Nessus scan on the
network. Apparently AR kicked in because certain rules fired (5712
to
be exact) which are not host-specific and ended up null-routing the
Nessus scanner machine on the defined-agents I have setup for AR.
Anyway, I just came across this -http://www.ossec.net/wiki/Know_How:Ignore_Rules
Can I add multiple hostnames delimited by "," or "|" so that the
rules
(and subsequently the ARs) will fire only on the hosts of origin?
I would use "local" but I want AR to occur on a subset of my agents
(not all of them).
Unless there's another way to do this.
Any ideas?
