**Phase 1: Completed pre-decoding.
full event: '2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443
3562 40 A 1283761885 1189402707 7504 - - - RECEIVE'
hostname: 'ossec'
program_name: '(null)'
log: '2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40
A 1283761885 1189402707 7504 - - - RECEIVE'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
action: 'DROP'
proto: 'TCP'
srcip: '10.13.1.6'
dstip: '10.13.16.7'
srcport: '443'
dstport: '3562'
**Phase 3: Completed filtering (rules).
Rule id: '4101'
Level: '5'
Description: 'Firewall drop event.
Against rule.
<rule id="100002" level="10">
<if_sid>4151</if_sid>
<srcip>10.13.16.7</srcip>
<match>10.13.1.6</match>
<description>#100882</description>
</rule>
looks like the srcip is incorrect. as is the rule you're lookign for.
Also, depending on your alert level, level 10 may still generate emails.
You may want to rewrite that as 0. Something like this.
<rule id="100002" level="0">
<if_sid>4101</if_sid>
<srcip>10.13.1.6</srcip>
<description>Quiet 10.13.1.6 noise</description>
</rule>
On Monday, August 3, 2015 at 8:41:20 AM UTC-7, Björn wrote:
>
> Hello,
>
> I try to exclude this event:
>
>
> OSSEC HIDS Notification.
> 2015 Jul 02 12:12:14
>
> Received From: (jump02) 10.13.16.7->\Logfiles\Firewall\pfirewall.log
> Rule: 4151 fired (level 10) -> "Multiple Firewall drop events from same
> source."
> Portion of the log(s):
>
> 2015-07-02 12:11:59 DROP TCP 10.13.1.6 10.13.16.7 443 3573 40 A 2313797595
> 2078887944 7504 - - - RECEIVE
> 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515
> 1862563536 7504 - - - RECEIVE
> 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A 1914956515
> 1862563535 7504 - - - RECEIVE
> 2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A 1983683511
> 660455107 7504 - - - RECEIVE
> 2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A 1983683511
> 660455106 7504 - - - RECEIVE
> 2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A 1348841012
> 1715023945 7504 - - - RECEIVE
> 2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A 1348841012
> 1715023944 7504 - - - RECEIVE
> 2015-07-02 12:11:50 DROP TCP 10.13.1.6 10.13.16.7 443 3566 40 A 1087397228
> 121698030 7504 - - - RECEIVE
> 2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A 524181289
> 2382348392 7504 - - - RECEIVE
> 2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A 524181289
> 2382348391 7504 - - - RECEIVE
> 2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885
> 1189402708 7504 - - - RECEIVE
> 2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A 1283761885
> 1189402707 7504 - - - RECEIVE
>
>
>
> --END OF NOTIFICATION
>
>
> with this rule without success:
>
> <rule id="100002" level="10">
> <if_sid>4151</if_sid>
> <srcip>10.13.16.7</srcip>
> <match>10.13.1.6</match>
> <description>#100882</description>
> </rule>
>
>
> But we still receiving mails for this events. Do you got an idea what's
> wrong?
>
> Thanks!
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
