Great, that works. This is all giving me a much better idea how this thing operates...
Am Donnerstag, 10. März 2016 14:58:28 UTC+1 schrieb dan (ddpbsd): > > On Thu, Mar 10, 2016 at 8:52 AM, Armin M <[email protected] <javascript:>> > wrote: > > Ok, but further to that: This ssh "bug" does indeed trigger rule 5301 > which > > is level 5 and below the active-response level 6 but still a kind of > false > > positive. So the question actually remains: How can I whitelist this > > particular message pattern in auth.log? > > > > The pam_systemd log message? Perhaps a rule like the following in your > local_rules.xml (untested, since I get different results for this log > message than you do): > <rule id="YOUR_RULE_ID" level="0"> > <if_sid>5301</if_sid> > <match>^pam_systemd(su:session): Failed to create session: No such > file or directory$</match> > <description>Ignore pam_systemd fluff log.</description> > </rule> > > > > > Am Donnerstag, 10. März 2016 13:28:50 UTC+1 schrieb Armin M: > >>> > >>> Are you sure it was this log message that caused you to be locked out? > >>> There is no information in that log message that could be used in an > >>> active response. > >> > >> > >> right, I just realized that the active-responses.log references the > rule > >> it was triggered from, in my case 40101 and the fact that I logged in > as > >> www. Ok, bad practice, no issue then. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
