SOLVED!!! I have created three rules and use <match> option in place of srcip.
Thanks to ossec-logtest tool helped me to pinpoint issue. :) Still your advice accepted. -S On Wed, Apr 27, 2011 at 11:05 AM, satish patel <[email protected]> wrote: > Hello, > > Here is my question we have a security scanner running everyday now i > want to ignore it but issue its its ipv6 address i don't know how to > ignore ipv6 i tried but OSSEC not accepting it. > > > I tried following rules but it doesn't working > > <rule id="100006" level="0"> > <if_sid>5712</if_sid> > <options>no_email_alert</options> > <if_level>10</if_level> > <srcip>172.24.1.32</srcip> > <match>::ffff:172.24.1.32</match> > <description>Ignore scanner alerts</description> > </rule> > > > my alerts > > Received From: (dev01) 172.24.146.57->/var/log/secure > Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access > to the system." > Portion of the log(s): > > Apr 26 01:08:05 dev01 sshd[21914]: Failed none for invalid user > _e4w0x4pp2l1f from ::ffff:172.24.1.32 port 54231 ssh2 > Apr 26 01:08:05 dev01 sshd[21914]: Invalid user _e4w0x4pp2l1f from > ::ffff:172.24.1.32 > Apr 26 01:08:05 dev01 sshd[21910]: Failed keyboard-interactive/pam for > invalid user twn56nkyh from ::ffff:172.24.1.32 port 54230 ssh2 >
