On Aug 3, 2015 11:41 AM, "Björn" <[email protected]> wrote: > > Hello, > > I try to exclude this event: > > > OSSEC HIDS Notification. > 2015 Jul 02 12:12:14 > > Received From: (jump02) 10.13.16.7->\Logfiles\Firewall\pfirewall.log > Rule: 4151 fired (level 10) -> "Multiple Firewall drop events from same source." > Portion of the log(s): > > 2015-07-02 12:11:59 DROP TCP 10.13.1.6 10.13.16.7 443 3573 40 A 2313797595 2078887944 7504 - - - RECEIVE
I can't run these throughossec-logtest at the moment, but does the 16.7 address decode to be the source ip? > 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE > 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515 1862563535 7504 - - - RECEIVE > 2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A 1983683511 660455107 7504 - - - RECEIVE > 2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A 1983683511 660455106 7504 - - - RECEIVE > 2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A 1348841012 1715023945 7504 - - - RECEIVE > 2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A 1348841012 1715023944 7504 - - - RECEIVE > 2015-07-02 12:11:50 DROP TCP 10.13.1.6 10.13.16.7 443 3566 40 A 1087397228 121698030 7504 - - - RECEIVE > 2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A 524181289 2382348392 7504 - - - RECEIVE > 2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A 524181289 2382348391 7504 - - - RECEIVE > 2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885 1189402708 7504 - - - RECEIVE > 2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885 1189402707 7504 - - - RECEIVE > > > > --END OF NOTIFICATION > > > with this rule without success: > > <rule id="100002" level="10"> > <if_sid>4151</if_sid> > <srcip>10.13.16.7</srcip> > <match>10.13.1.6</match> > <description>#100882</description> > </rule> > > > But we still receiving mails for this events. Do you got an idea what's wrong? > > Thanks! > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
