[ossec-list] Whitelisting an IP

Sat, 31 Aug 2013 10:26:36 -0700 

2.6.15 on RHEL5

Trying to get security's much beloved nessus scans out of our alerts, I'm 
doing this:

<rule id="150140" level="0">   
    <if_level>4</if_level>
    <srcip>192.168.31.25</srcip>
    <description>Another stupid nessus scan</description>
</rule>

which is straight out of the book (I've even RTFM) and should eliminate any 
alert above level 4 from that IP.  It works for a 'normal' sid, but seems 
to fail on 'multiple'.  For instance,

OSSEC HIDS Notification.
2013 Aug 31 10:18:09

Received From: (tbtestsyslog) 192.168.27.10->/var/log/messages
Rule: 40111 fired (level 10) -> "Multiple authentication failures."
Portion of the log(s):

Aug 31 10:18:08 192.168.25.137  Aug 31 09:18:08 192.168.25.137 OA: 
Authentication failure for user nessus from 192.168.31.25, requesting sshd 
Aug 31 10:18:07 192.168.25.137  Aug 31 09:18:07 192.168.25.137 OA: 
Authentication failure for user nessus from 192.168.31.25, requesting sshd 
Aug 31 10:18:07 192.168.25.137  Aug 31 09:18:07 192.168.25.137 OA: Failed 
login attempt with user nessus from 192.168.31.25 Aug 31 10:18:05 
192.168.25.137  Aug 31 09:18:05 192.168.25.137 OA: Authentication failure 
for user nessus from 192.168.31.25, requesting sshd Aug 31 10:17:58 
192.168.25.138  Aug 31 09:17:58 192.168.25.138 OA: Failed login attempt 
with user nessus from 192.168.31.25 Aug 31 10:17:57 192.168.25.138  Aug 31 
09:17:57 192.168.25.138 OA: Authentication failure for user nessus from 
192.168.31.25, requesting sshd Aug 31 10:17:57 192.168.25.138  Aug 31 
09:17:57 192.168.25.138 OA: Failed login attempt with user nessus from 
192.168.31.25 Aug 31 10:17:55 192.168.25.138  Aug 31 09:17:54 
192.168.25.138 OA: Authentication failure for user nessus from 
192.168.31.25, requesting sshd Aug 31 10:17:41 192.168.25.138  Aug 31 
09:17:41 192.168.25.138 OA: Failed login attempt with user nessus from 
192.168.31.25 Aug 31 10:17:40 192.168.25.138  Aug 31 09:17:40 
192.168.25.138 OA: Authentication failure for user nessus from 
192.168.31.25, requesting sshd Aug 31 10:17:40 192.168.25.138  Aug 31 
09:17:40 192.168.25.138 OA: Authentication failure for user nessus from 
192.168.31.25, requesting sshd


What am I missing?  Or am I misinterpreting what the srcip would be in this 
case?

Thanks,

Tim

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to