Ah okay, thanks for your help. I got and understand it now! It seems we got multiple srcip's.
Am Montag, 3. August 2015 17:59:23 UTC+2 schrieb dan (ddpbsd): > > > On Aug 3, 2015 11:56 AM, "Björn" <[email protected] <javascript:>> wrote: > > > > bin/ossec-logtest > > 2015/08/03 17:47:39 ossec-testrule: INFO: Reading local decoder file. > > 2015/08/03 17:47:39 ossec-testrule: INFO: Started (pid: 22641). > > ossec-testrule: Type one log per line. > > > > > > 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A > 1914956515 1862563536 7504 - - - RECEIVE > > > > > > **Phase 1: Completed pre-decoding. > > full event: '2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 > 443 3572 40 A 1914956515 1862563536 7504 - - - RECEIVE' > > hostname: 'webint' > > program_name: '(null)' > > log: '2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 > 40 A 1914956515 1862563536 7504 - - - RECEIVE' > > > > > > **Phase 2: Completed decoding. > > decoder: 'windows-date-format' > > action: 'DROP' > > proto: 'TCP' > > srcip: '10.13.1.6' > > dstip: '10.13.16.7' > > 16.7 is being decoded as the destination IP, 1.6 is the source. > > > srcport: '443' > > > > dstport: '3572' > > > > > > **Phase 3: Completed filtering (rules). > > Rule id: '4101' > > Level: '5' > > > > Description: 'Firewall drop event.' > > ^C > > > > Yes, I think so. > > > > > > Am Montag, 3. August 2015 17:44:45 UTC+2 schrieb dan (ddpbsd): > >> > >> > >> On Aug 3, 2015 11:41 AM, "Björn" <[email protected]> wrote: > >> > > >> > Hello, > >> > > >> > I try to exclude this event: > >> > > >> > > >> > OSSEC HIDS Notification. > >> > 2015 Jul 02 12:12:14 > >> > > >> > Received From: (jump02) 10.13.16.7->\Logfiles\Firewall\pfirewall.log > >> > Rule: 4151 fired (level 10) -> "Multiple Firewall drop events from > same source." > >> > Portion of the log(s): > >> > > >> > 2015-07-02 12:11:59 DROP TCP 10.13.1.6 10.13.16.7 443 3573 40 A > 2313797595 2078887944 7504 - - - RECEIVE > >> > >> I can't run these throughossec-logtest at the moment, but does the 16.7 > address decode to be the source ip? > >> > >> > 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A > 1914956515 1862563536 7504 - - - RECEIVE > >> > 2015-07-02 12:11:58 DROP TCP 10.13.1.6 10.13.16.7 443 3572 40 A > 1914956515 1862563535 7504 - - - RECEIVE > >> > 2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A > 1983683511 660455107 7504 - - - RECEIVE > >> > 2015-07-02 12:11:57 DROP TCP 10.13.1.6 10.13.16.7 443 3571 40 A > 1983683511 660455106 7504 - - - RECEIVE > >> > 2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A > 1348841012 1715023945 7504 - - - RECEIVE > >> > 2015-07-02 12:11:56 DROP TCP 10.13.1.6 10.13.16.7 443 3568 40 A > 1348841012 1715023944 7504 - - - RECEIVE > >> > 2015-07-02 12:11:50 DROP TCP 10.13.1.6 10.13.16.7 443 3566 40 A > 1087397228 121698030 7504 - - - RECEIVE > >> > 2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A > 524181289 2382348392 7504 - - - RECEIVE > >> > 2015-07-02 12:11:49 DROP TCP 10.13.1.6 10.13.16.7 443 3563 40 A > 524181289 2382348391 7504 - - - RECEIVE > >> > 2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A > 1283761885 1189402708 7504 - - - RECEIVE > >> > 2015-07-02 12:11:46 DROP TCP 10.13.1.6 10.13.16.7 443 3562 40 A > 1283761885 1189402707 7504 - - - RECEIVE > >> > > >> > > >> > > >> > --END OF NOTIFICATION > >> > > >> > > >> > with this rule without success: > >> > > >> > <rule id="100002" level="10"> > >> > <if_sid>4151</if_sid> > >> > <srcip>10.13.16.7</srcip> > >> > <match>10.13.1.6</match> > >> > <description>#100882</description> > >> > </rule> > >> > > >> > > >> > But we still receiving mails for this events. Do you got an idea > what's wrong? > >> > > >> > Thanks! > >> > > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >> > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
