Hello,
Here is my question we have a security scanner running everyday now i
want to ignore it but issue its its ipv6 address i don't know how to
ignore ipv6 i tried but OSSEC not accepting it.
I tried following rules but it doesn't working
<rule id="100006" level="0">
<if_sid>5712</if_sid>
<options>no_email_alert</options>
<if_level>10</if_level>
<srcip>172.24.1.32</srcip>
<match>::ffff:172.24.1.32</match>
<description>Ignore scanner alerts</description>
</rule>
my alerts
Received From: (dev01) 172.24.146.57->/var/log/secure
Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access
to the system."
Portion of the log(s):
Apr 26 01:08:05 dev01 sshd[21914]: Failed none for invalid user
_e4w0x4pp2l1f from ::ffff:172.24.1.32 port 54231 ssh2
Apr 26 01:08:05 dev01 sshd[21914]: Invalid user _e4w0x4pp2l1f from
::ffff:172.24.1.32
Apr 26 01:08:05 dev01 sshd[21910]: Failed keyboard-interactive/pam for
invalid user twn56nkyh from ::ffff:172.24.1.32 port 54230 ssh2
