Hi Fredrik, when you create a new ssh connection, the following alerts are generated:
** Alert 1497960059.10786: - syslog,sshd,authentication_success,pci_dss_10.2.5,2017 Jun 20 12:00:59 ip-10-0-0-10->/var/log/auth.log Rule: *5715 *(level 3) -> 'sshd: authentication success.'*Src IP: 10.10.10.10* User: root Jun 20 12:00:58 ip-10-0-0-10 sshd[2266]: Accepted publickey for root from 10.10.10.10 port 54950 ssh2: RSA 2d:b0:79:60:11:11:1c:b3:09:a4:1d:87:28:f2:64:11 ** Alert 1497960059.11162: - pam,syslog,authentication_success,pci_dss_10.2.5,2017 Jun 20 12:00:59 ip-10-0-0-10->/var/log/auth.log Rule: *5501 *(level 3) -> 'PAM: Login session opened.' User: root Jun 20 12:00:58 ip-10-0-0-10 sshd[2266]: pam_unix(sshd:session): session opened for user root by (uid=0) uid: 0 ** Alert 1497960059.11471: - syslog,sshd,authentication_success,pci_dss_10.2.5,2017 Jun 20 12:00:59 ip-10-0-0-10->/var/log/auth.log Rule: 5715 (level 3) -> 'sshd: authentication success.'*Src IP: 10.10.10.10* User: root Jun 20 12:00:58 ip-10-0-0-10 sshd[2268]: Accepted publickey for root from 10.10.10.10 port 54953 ssh2: RSA 2d:b0:79:60:11:11:1c:b3:09:a4:1d:87:28:f2:64:11 ** Alert 1497960059.11847: - pam,syslog,authentication_success,pci_dss_10.2.5,2017 Jun 20 12:00:59 ip-10-0-0-10->/var/log/auth.log Rule: *5501 *(level 3) -> 'PAM: Login session opened.' User: root Jun 20 12:00:58 ip-10-0-0-10 sshd[2268]: pam_unix(sshd:session): session opened for user root by (uid=0) uid: 0 As you can see, the alerts 5501 don't have *srcip*. For that reason your rule is not working. You can use *if_group* *sshd *in order to ignore: all ssh alerts with your IP (*if the IP is extracted as srcip*). I hope it helps. On Tuesday, June 20, 2017 at 1:53:41 PM UTC+2, Fredrik Hilmersson wrote: > > Hey Jesus, > > I'm only overwriting rule 5501 to increase its alert level to 7 (as I test > to use only send alert if 7 or < ). > > I did test the following: > > <rule id="100200" level="0"> > > <if_sid>5501</if_sid> > > <srcip>Remote IP</srcip> > > <description>Ignoring host remote IP</description> > > </rule> > > also: > > <rule id="100200" level="0"> > > <if_sid>5501</if_sid> > > <srcip>Remote IP</srcip> > <options>no_email_alert</options> > > <description>Ignoring host remote IP</description> > > </rule> > > However, I still get alerts sent to me when connecting to any ossec agent > through that remote host. > > Den måndag 19 juni 2017 kl. 16:27:47 UTC+2 skrev Jesus Linares: >> >> Your second rule is ignoring only alerts with level 2 and with your IP. I >> think you could use *if_sid*. >> >> Why are you overwriting the rule 5501?. >> >> Regards. >> >> >> >> On Monday, June 19, 2017 at 12:00:29 PM UTC+2, Fredrik Hilmersson wrote: >>> >>> Hello, >>> >>> So I got the following custom rule on the ossec server: >>> >>> <rule id="5501" level="7" overwrite="yes"> >>> >>> <if_sid>5500</if_sid> >>> >>> <match>session opened for user </match> >>> >>> <description>Login session opened.</description> >>> >>> <group>authentication_success,</group> >>> >>> </rule> >>> >>> Then afterwards I use the local rule on the ossec server to avoid alert >>> spam from a specific IP: >>> >>> <rule id="110000" level="0"> >>> >>> <if_level>2</if_level> >>> >>> <srcip>MYIP</srcip> >>> >>> <description>Ignoring ip MYIP</description> >>> >>> </rule> >>> >>> I tried with <match></match> instead of srcip but without success, the >>> ossec agents still generate alerts to my ossec server when connecting from >>> MYIP. >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.