What "hack" are you referring to? I didn't "hack" anything.
On Mar 3, 2:24 pm, Satish Patel <[email protected]> wrote: > So where is the hack? > > -- > Sent from my iPhone > > On Mar 3, 2011, at 5:06 PM, jplee3 <[email protected]> wrote: > > > Whitelisting the scanner doesn't solve the problem, because someone > > else might inadvertently scan one system and cause AR to fire on a > > completely different system where it shouldn't have fired. > > > I basically just want AR to fire for a specific group of machines > > whenever a certain alert gets tripped on only those machines. > > > I think I figured it out either way though. This appears to do the > > job: > > > <rule id="5722" level="5"> > > <if_sid>5710</if_sid> > > <hostname>ssh1|ssh2<hostname> > > <match>illegal user|invalid user</match> > > <description>Attempt to login using a non-existent user</ > > description> > > <group>invalid_login,authentication_failed,</group> > > </rule> > > > <rule id="5723" level="10" frequency="10" timeframe="120"> > > <if_matched_sid>5722</if_matched_sid> > > <description>SSHD brute force trying to get access to </ > > description> > > <description>the system.</description> > > <same_source_ip /> > > <group>authentication_failures,</group> > > </rule> > > > On Mar 3, 1:32 pm, satish patel <[email protected]> wrote: > >> I'd say use whitelist. and add your scannser IP in whitelist > > >> I have same issue and and i guess that is only option we have. > > >> On Thu, Mar 3, 2011 at 4:21 PM, jplee3 <[email protected]> wrote: > >>> Hey guys, > > >>> So I noticed this while running an internal Nessus scan on the > >>> network. Apparently AR kicked in because certain rules fired (5712 > >>> to > >>> be exact) which are not host-specific and ended up null-routing the > >>> Nessus scanner machine on the defined-agents I have setup for AR. > > >>> Anyway, I just came across this > >>> -http://www.ossec.net/wiki/Know_How:Ignore_Rules > > >>> Can I add multiple hostnames delimited by "," or "|" so that the > >>> rules > >>> (and subsequently the ARs) will fire only on the hosts of origin? > > >>> I would use "local" but I want AR to occur on a subset of my agents > >>> (not all of them). > > >>> Unless there's another way to do this. > > >>> Any ideas? > >
