I second Graeme's statement. I'm running into the same issues. Here are my details:
This rule is a problem for me. I am seeing many false positives (FP). Here is one such example: Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root 192.168.1.50 > (192.168.1.50) 52209 > Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root > 192.168.1.50 (192.168.1.50) 52209 > 2016 Mar 17 09:49:15 WinEvtLog: Security: AUDIT_SUCCESS(4722): > Microsoft-Windows-Security-Auditing: (no user): no domain: > WINDOWSHOST.domain-internal.com.internal: A user account was enabled. > Subject: Security ID: S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX > Account Name: username Account Domain: DOMAIN-INTERNAL Logon ID: 0x2xxXXXX > Target Account: Security ID: > S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX Account Name: > VM01XXXX-XXXXXX$ Account Domain: DOMAIN-INTERNAL As you can see this is an obvious FP. Can someone weigh in here on how we can remediate these issues? Some days we see 100+ FP's. Thanks in advance, Dustin On Tuesday, February 2, 2016 at 2:42:16 PM UTC-8, Graeme Stewart wrote: > > I think the OP's original statement is valid, why is OSSEC reporting valid > fire on alert 40501 when multiple hosts are involved (l-logbackup1 and > l-interdb3)? > > Seems this alert should only fire where the host is a match. > > On Monday, May 13, 2013 at 10:21:56 AM UTC-7, Jason Frisvold wrote: >> >> root wrote: >> > hi,all >> > >> > There is a problem,when some host make a different log,ossec can >> > associated and has False positives! >> >> Not a bug, it's by design. It's called grouping. If you want to >> disable it, you need to add <do_not_group /> to your global email >> settings. >> >> >> http://www.ossec.net/doc/syntax/head_ossec_config.email_alerts.html#element-do_not_group >> >> >> -- >> --------------------------- >> Jason 'XenoPhage' Frisvold >> [email protected] >> --------------------------- >> >> "Any sufficiently advanced magic is indistinguishable from technology.\" >> - Niven's Inverse of Clarke's Third Law >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
