I'm not quite sure for using <same_source_ip /> in this case. For the false positive, the source ip of brute force attack and the adduser might be from different hosts.
On Thu, Nov 17, 2011 at 1:52 AM, Franky4fngrs <[email protected]> wrote: > Hello, > > I have an ossec deployment with a little over 700 agents > communicating. The issue I am having is that rules such as 40501 > report a large number of false positives. There are a large number > of brute force attacks across the environment at any given time. > Whenever a legitimate user logs in the alert is triggered. I have not > seen an obvious (to me) way to modify the rules, or groups to address > this issue. Has anyone tackled this issue before? > > Thanks >
