On Thu, Mar 10, 2016 at 8:52 AM, Armin M <[email protected]> wrote: > Ok, but further to that: This ssh "bug" does indeed trigger rule 5301 which > is level 5 and below the active-response level 6 but still a kind of false > positive. So the question actually remains: How can I whitelist this > particular message pattern in auth.log? >
The pam_systemd log message? Perhaps a rule like the following in your local_rules.xml (untested, since I get different results for this log message than you do): <rule id="YOUR_RULE_ID" level="0"> <if_sid>5301</if_sid> <match>^pam_systemd(su:session): Failed to create session: No such file or directory$</match> <description>Ignore pam_systemd fluff log.</description> </rule> > > Am Donnerstag, 10. März 2016 13:28:50 UTC+1 schrieb Armin M: >>> >>> Are you sure it was this log message that caused you to be locked out? >>> There is no information in that log message that could be used in an >>> active response. >> >> >> right, I just realized that the active-responses.log references the rule >> it was triggered from, in my case 40101 and the fact that I logged in as >> www. Ok, bad practice, no issue then. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
