Hello to the list!
Over the past few weeks, our weekly Nessus scans have been triggering a lot
of password failure alerts from OSSEC. Specifically the rules "2502" and
"40111" have been being triggered thousands of times on each weekly scan.
Tuesday morning we had over 200K emails in our alerts mailbox. So I've
been trying to build some exclusion rules that will ignore these alerts, if
the entry indicates it comes from one of our scanner boxes. But the rules
do not seem to be taking effect.
Here's an example of an alert we are getting:
OSSEC HIDS Notification.
2018 Jul 06 16:51:04
Received From: db01.domain.com->/var/log/secure
Rule: 2502 fired (level 10) -> "User missed the password more than one time"
Portion of the log(s):
Jul 6 16:51:03 db01.domain.com sshd[18507]: PAM 2 more authentication
failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=scan01b.domain.com
user=root
--END OF NOTIFICATION
Scans can come from any one of 4 possible ip addresses, only one having
rDNS. So here's the rule I put in place to
/var/ossec/rules/local_rules.xml:
<group name="syslog,access_control,">
<rule id="100035" level="0">
<if_sid>2502</if_sid>
<match>192.168.92.72|192.168.92.76|192.168.92.77|192.168.92.78|scan01b</match>
<description>Ignore SSH failures originating from scanner</description>
</rule>
</group>
If I run the above log line thru the ossec-logtest application, it
definately shows that rule 100035 is hit, and it becomes a level 0.
However, if I restart the OSSEC on the server, and trigger another scan, I
start seeing alerts from SID 2502 coming into email still. I can not for
the life of me figure out what is going on - I've had good luck making
these types of exclusion rules in the past, and I'm copying my work from
previous working exclusions.
Anyone got any suggestions?
Thanks!
Jeremy Utley
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
