Ok, but further to that: This ssh "bug" does indeed trigger rule 5301 which is level 5 and below the active-response level 6 but still a kind of false positive. So the question actually remains: How can I whitelist this particular message pattern in auth.log?
Am Donnerstag, 10. März 2016 13:28:50 UTC+1 schrieb Armin M: > > Are you sure it was this log message that caused you to be locked out? >> There is no information in that log message that could be used in an >> active response. >> > > right, I just realized that the active-responses.log references the rule > it was triggered from, in my case 40101 and the fact that I logged in as > www. Ok, bad practice, no issue then. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
