On Wed, Aug 3, 2016 at 9:07 AM, Herman Harperink <[email protected]> wrote: > Hi Dan, > > When my phone / pc /ipad collects email I get an "dovecot authentication > success" event. I could ignore this event by downrating it to zero in > local_rules so it won't be logged, but I want to see all succesful > authentications on my mailserver from hosts that are not my own (since I am > the only one using it). Same goes for ftp, ssh etc > In case someone hacks my server, or steals my credentials that would light > up on my dash. > > My home internet connection has a dynamic ip, but by using a dyndns provider > (duckdns) I have a static own domainname. However, ossec lookups always > return the dynamic hostname my provider gave me, and never my dyndns > hostname since they don't update dns records (no authority). > If I lookup my dyndns hostname on my ossec manager I get my ip. But if I > lookup my ip I get my providers hostname wich is not static. > > So: connection from xxx.xxx.xxx.xxx resolves to dip-t-somewhat-hostname > (within ossec). I am looking for a way to let ossec check if ip > xxx.xxx.xxx.xxx is my myhost.duckdns.org hostname, and if it is, ignore the > event. >
There is no facility to do DNS lookups in the analysis engine. > > > On Wed, Aug 3, 2016 at 2:47 PM, dan (ddp) <[email protected]> wrote: >> >> On Wed, Aug 3, 2016 at 1:48 AM, Herman Harperink >> <[email protected]> wrote: >> > Hi all, >> > >> > Can somebody hint me in the right direction on this? >> > I have two dynamic hosts with a ddns hostname and I don't want those to >> > trigger events. But I can't find a way to do that anywhere. >> > >> > Thanks in advance. >> > >> >> Remove the agents from those hosts? I'm probably misunderstanding >> something, maybe an example of what you don't want to see would help? >> >> > Herman >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/6e9ehDQW_jE/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
