Thanks alot Jesus, did solve it by creating two local rules one for rule 5715 matching the srcip, and one rule to match the hostname to ignore the 5501.
Kind regards, Fredrik Den tisdag 20 juni 2017 kl. 14:09:39 UTC+2 skrev Jesus Linares: > > Hi Fredrik, > > when you create a new ssh connection, the following alerts are generated: > > ** Alert 1497960059.10786: - > syslog,sshd,authentication_success,pci_dss_10.2.5,2017 Jun 20 12:00:59 > ip-10-0-0-10->/var/log/auth.log > Rule: *5715 *(level 3) -> 'sshd: authentication success.'*Src IP: 10.10.10.10* > User: root > Jun 20 12:00:58 ip-10-0-0-10 sshd[2266]: Accepted publickey for root from > 10.10.10.10 port 54950 ssh2: RSA > 2d:b0:79:60:11:11:1c:b3:09:a4:1d:87:28:f2:64:11 > ** Alert 1497960059.11162: - > pam,syslog,authentication_success,pci_dss_10.2.5,2017 Jun 20 12:00:59 > ip-10-0-0-10->/var/log/auth.log > Rule: *5501 *(level 3) -> 'PAM: Login session opened.' > User: root > Jun 20 12:00:58 ip-10-0-0-10 sshd[2266]: pam_unix(sshd:session): session > opened for user root by (uid=0) > uid: 0 > ** Alert 1497960059.11471: - > syslog,sshd,authentication_success,pci_dss_10.2.5,2017 Jun 20 12:00:59 > ip-10-0-0-10->/var/log/auth.log > Rule: 5715 (level 3) -> 'sshd: authentication success.'*Src IP: 10.10.10.10* > User: root > Jun 20 12:00:58 ip-10-0-0-10 sshd[2268]: Accepted publickey for root from > 10.10.10.10 port 54953 ssh2: RSA > 2d:b0:79:60:11:11:1c:b3:09:a4:1d:87:28:f2:64:11 > ** Alert 1497960059.11847: - > pam,syslog,authentication_success,pci_dss_10.2.5,2017 Jun 20 12:00:59 > ip-10-0-0-10->/var/log/auth.log > Rule: *5501 *(level 3) -> 'PAM: Login session opened.' > User: root > Jun 20 12:00:58 ip-10-0-0-10 sshd[2268]: pam_unix(sshd:session): session > opened for user root by (uid=0) > uid: 0 > > > > As you can see, the alerts 5501 don't have *srcip*. For that reason your > rule is not working. You can use *if_group* *sshd *in order to ignore: > all ssh alerts with your IP (*if the IP is extracted as srcip*). > > I hope it helps. > > > On Tuesday, June 20, 2017 at 1:53:41 PM UTC+2, Fredrik Hilmersson wrote: >> >> Hey Jesus, >> >> I'm only overwriting rule 5501 to increase its alert level to 7 (as I >> test to use only send alert if 7 or < ). >> >> I did test the following: >> >> <rule id="100200" level="0"> >> >> <if_sid>5501</if_sid> >> >> <srcip>Remote IP</srcip> >> >> <description>Ignoring host remote IP</description> >> >> </rule> >> >> also: >> >> <rule id="100200" level="0"> >> >> <if_sid>5501</if_sid> >> >> <srcip>Remote IP</srcip> >> <options>no_email_alert</options> >> >> <description>Ignoring host remote IP</description> >> >> </rule> >> >> However, I still get alerts sent to me when connecting to any ossec agent >> through that remote host. >> >> Den måndag 19 juni 2017 kl. 16:27:47 UTC+2 skrev Jesus Linares: >>> >>> Your second rule is ignoring only alerts with level 2 and with your IP. >>> I think you could use *if_sid*. >>> >>> Why are you overwriting the rule 5501?. >>> >>> Regards. >>> >>> >>> >>> On Monday, June 19, 2017 at 12:00:29 PM UTC+2, Fredrik Hilmersson wrote: >>>> >>>> Hello, >>>> >>>> So I got the following custom rule on the ossec server: >>>> >>>> <rule id="5501" level="7" overwrite="yes"> >>>> >>>> <if_sid>5500</if_sid> >>>> >>>> <match>session opened for user </match> >>>> >>>> <description>Login session opened.</description> >>>> >>>> <group>authentication_success,</group> >>>> >>>> </rule> >>>> >>>> Then afterwards I use the local rule on the ossec server to avoid alert >>>> spam from a specific IP: >>>> >>>> <rule id="110000" level="0"> >>>> >>>> <if_level>2</if_level> >>>> >>>> <srcip>MYIP</srcip> >>>> >>>> <description>Ignoring ip MYIP</description> >>>> >>>> </rule> >>>> >>>> I tried with <match></match> instead of srcip but without success, the >>>> ossec agents still generate alerts to my ossec server when connecting from >>>> MYIP. >>>> >>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
