> Do you mean multiple log messages are included in one email or > multiple OSSEC alerts? Can you provide an example?
Sorry - yes, multiple log messages, from different servers, are included in one email. Example of 5720: OSSEC HIDS Notification. 2012 Apr 14 23:26:13 Received From: (HostA) 10.x.x.x->/var/log/secure Rule: 5720 fired (level 10) -> "Multiple SSHD authentication failures." Portion of the log(s): Apr 15 03:26:29 HostA sshd[1993]: error: PAM: Authentication failure for UserA from cbigdc-padmp801.cbi.net Apr 15 03:26:29 HostB sshd[26018]: error: PAM: Authentication failure for UserA from cbigdc-padmp801.cbi.net Apr 15 03:26:28 HostC sshd[722]: error: PAM: Authentication failure for UserA from cbigdc-padmp801.cbi.net Apr 14 20:26:28 HostD sshd[16629]: error: PAM: Authentication failure for UserA from cbigdc-padmp801.cbi.net Apr 14 20:26:29 HostE sshd[6648]: error: PAM: Authentication failure for UserA from cbigdc-padmp801.cbi.net Apr 15 03:26:28 HostF sshd[21030]: error: PAM: Authentication failure for UserA from cbigdc-padmp801.cbi.net Apr 15 03:26:28 HostG sshd[4320]: error: PAM: Authentication failure for DOM\UserA from cbigdc-padmp801.cbi.net --END OF NOTIFICATION Example of 101002: OSSEC HIDS Notification. 2012 Apr 14 23:26:08 Received From: (Host1) 10.228.0.182->/var/log/messages Rule: 101002 fired (level 4) -> "User authentication failure." Portion of the log(s): Apr 15 03:26:24 Host1 lsassd[4341]: 0x479d6940:Failed to authenticate user (name = 'UserA') -> error = 40056, symbol = LW_ERROR_ACCOUNT_DISABLED, client pid = 10943 Apr 15 03:26:23 Host2 sshd[26801]: [module:pam_lsass]pam_sm_authenticate error [login:UserA][error code:40056] Apr 15 03:26:23 Host2 lsassd[3395]: 0x4a622940:Failed to authenticate user (name = 'UserA') -> error = 40056, symbol = LW_ERROR_ACCOUNT_DISABLED, client pid = 26801 Apr 14 20:26:24 cbigdc-iecmb001 sshd[25199]: [module:pam_lsass]pam_sm_authenticate error [login:UserA][error code:40056] --END OF NOTIFICATION > > On Wed, Apr 25, 2012 at 10:28 AM, Christina Plummer <[email protected]> > wrote: > > I still seem to get combined emails sometimes, even though I have set > > maild.groupping=0. I also increased my <email_maxperhour> to 6000 to > > make > > sure that wasn't getting in the way. > > > > It seems to mostly occur with rule 5720 (multiple SSHD auth failures) or > > my > > local rule 101002 which tries to only send an alert when 1002 is matched > > 3 > > or more times in 6 minutes: > > > > <!-- Ignore mistyped passwords until 3rd occurrence --> > > <rule id="101002" level="4" frequency="3" timeframe="360"> > > <if_matched_sid>1002</if_matched_sid> > > <match>Failed to authenticate user</match> > > <options>alert_by_email</options> > > <description>User authentication failure.</description> > > </rule> > > The emails I get make it appear that OSSEC is considering failures on > > ALL > > hosts within that timeframe, as opposed to just on a single host. > > > > I don't necessarily care if UserA mistyped their password on HostA twice > > within a couple minutes of UserB mistyping their password on HostB. Is > > it > > possible to adjust this behavior - to force a rule to apply on a > > per-host > > basis? > > > > If not, can I at least force it to appear as a "multi-host" match of > > some > > sort? Currently, OSSEC shows the rule as being "Received From: " the > > last > > host that had a log entry which triggered the rule. I'd like to be able > > to > > sort these differently - if the "last" host was a sandbox machine, I > > might > > inadvertently give the whole alert less criticality than a multi-host, > > potential brute-force attack would warrant. > > > > No, there isn't really a way to do any of this. I think you could > modify it to not include the sensor name in the subject, but I don't > know how much that helps. Can that be done only for certain rules? > I'd start by separating the sandbox machines from production machines. > It wouldn't hurt to keep those on different managers. That's a thought. Currently I install and configure OSSEC agents as part of my Kickstart process, so I'd have to figure out some way to "tag" which manager they should talk to. Are multiple OSSEC managers completely separate, or is there any non-manual method for coordinating them in terms of syncing rules and configs? Thanks, Christina
