Hi Tahir, I think there is no official way to do that. You could change the netstat command to show some special string when it is an initial environment and then if the output has that string, ignore it (using the proper alert).
I hope it helps. Regards. On Monday, June 13, 2016 at 3:26:42 PM UTC+2, Tahir Hafiz wrote: > > We have a situation where we have an alert from ossec on an initial > environment build which we wish to ignore. > However, we only want to ignore the first alert and not subsequent similar > alerts. > > Is there a way to whitelist (level=0, in the local_rules.xml file) for > some event for the first ten minutes only? > And then have the alerts (level=7 in this case) as per usual. > > The alert is below: > > ** Alert 1465821827.92581: mail - ossec, > 2016 Jun 13 13:43:47 (monitoringxyz02) any->netstat -tan |grep LISTEN > |grep -v 127.0.0.1 | sort > Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port > opened or closed).' > ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort': > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN > tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN > tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN > tcp6 0 0 :::22 :::* LISTEN > tcp6 0 0 :::25 :::* LISTEN > tcp6 0 0 :::5666 :::* LISTEN > Previous output: > ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort': > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN > tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN > tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN > tcp6 0 0 :::22 :::* LISTEN > tcp6 0 0 :::25 :::* LISTEN > tcp6 0 0 :::443 :::* LISTEN > tcp6 0 0 :::5666 :::* LISTEN > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
