On Mon, Dec 14, 2015 at 8:30 AM, <[email protected]> wrote: > Hello Group and Guru's, > > I'm fairly new to configuring OSSEC; I have been using it as an analyst from > Kibana and the web interface. > > My question is similar to what another user posted in that I would like to > monitor after hours logins, however I'm having a lot of false positives with > a service account logging in and generating errors so is there a way to > create the rule below and have it only apply to regular staff logins, but > exclude service account logins. On the hand I realize there could be > situations where an attacker is going after service accounts, so maybe I > should use the below, and narrow my searches in the Kibana interface, > > > This was from another users suggestions. > <rule id="500000" level="10"> > <if_group>authentication</if_group> > <time>6 pm - 9 am</time> > <description>Login after hours</description> > </rule> >
You could add a rule to ignore the logins you don't care about. Not tested, but something like: <rule id="500001" level="0"> <if_sid>500000</if_sid> <user>USERNAME</user> <description>Ignore USERNAME</description> </rule> Using <user>USERNAME1|USERNAME2|USERNAME3</user> might work. > I need a step-by-step to get this rule up and running, I've never created a > new rule in OSSEC before. How would I create it and look for it in Kibana > and the web interface? > > Thanks for any of the Guru wisdom, it's very appreciated. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
