On Tue, May 10, 2016 at 12:07 PM, Dustin Lenz <[email protected]> wrote: > HI, > >> I think you could set it to only alert if the logs have the same srcip > > How would one go about this? >
Try setting <same_source_ip /> in the rule. > Thanks, > > > On Wed, Mar 23, 2016 at 9:32 AM, dan (ddp) <[email protected]> wrote: >> >> On Wed, Mar 23, 2016 at 12:23 PM, Dustin Lenz <[email protected]> wrote: >> > Resurrecting this one from the dead. This rule is a problem for me. I >> > am >> > seeing many false positives (FP). Here is one such example: >> > >> >>> Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root >> >>> 192.168.1.50 (192.168.1.50) 52209 >> >>> >> >>> Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root >> >>> 192.168.1.50 (192.168.1.50) 52209 >> >>> >> >>> 2016 Mar 17 09:49:15 WinEvtLog: Security: AUDIT_SUCCESS(4722): >> >>> Microsoft-Windows-Security-Auditing: (no user): no domain: >> >>> WINDOWSHOST.domain-internal.com.internal: A user account was enabled. >> >>> Subject: Security ID: S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX >> >>> Account Name: username Account Domain: DOMAIN-INTERNAL Logon ID: >> >>> 0x2xxXXXX >> >>> Target Account: Security ID: >> >>> S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX >> >>> Account Name: VM01XXXX-XXXXXX$ Account Domain: DOMAIN-INTERNAL >> > >> > >> > As you can see this is an obvious FP. >> > >> > Can someone weigh in here on how we can remediate these issues? Some >> > days >> > we see 100+ FP's. >> > >> >> Disable the rule? >> I think you could set it to only alert if the logs have the same srcip >> (not positive though). >> >> > Thanks in advance, >> > >> > Dustin >> > >> > On Wednesday, November 16, 2011 at 9:52:38 AM UTC-8, Franky4fngrs wrote: >> >> >> >> Hello, >> >> >> >> I have an ossec deployment with a little over 700 agents >> >> communicating. The issue I am having is that rules such as 40501 >> >> report a large number of false positives. There are a large number >> >> of brute force attacks across the environment at any given time. >> >> Whenever a legitimate user logs in the alert is triggered. I have not >> >> seen an obvious (to me) way to modify the rules, or groups to address >> >> this issue. Has anyone tackled this issue before? >> >> >> >> Thanks >> >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/SxLy8GcBGVM/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > > > -- > Regards, > > Dustin > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
