On Fri, Jul 6, 2018 at 5:20 PM, Jeremy Utley <[email protected]> wrote: > Hello to the list! > > Over the past few weeks, our weekly Nessus scans have been triggering a lot > of password failure alerts from OSSEC. Specifically the rules "2502" and > "40111" have been being triggered thousands of times on each weekly scan. > Tuesday morning we had over 200K emails in our alerts mailbox. So I've been > trying to build some exclusion rules that will ignore these alerts, if the > entry indicates it comes from one of our scanner boxes. But the rules do > not seem to be taking effect. > > Here's an example of an alert we are getting: > > OSSEC HIDS Notification. > 2018 Jul 06 16:51:04 > > Received From: db01.domain.com->/var/log/secure > Rule: 2502 fired (level 10) -> "User missed the password more than one time" > Portion of the log(s): > > Jul 6 16:51:03 db01.domain.com sshd[18507]: PAM 2 more authentication > failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=scan01b.domain.com > user=root > > > > --END OF NOTIFICATION > > Scans can come from any one of 4 possible ip addresses, only one having > rDNS. So here's the rule I put in place to > /var/ossec/rules/local_rules.xml: > > <group name="syslog,access_control,"> > <rule id="100035" level="0"> > <if_sid>2502</if_sid> > > <match>192.168.92.72|192.168.92.76|192.168.92.77|192.168.92.78|scan01b</match> > <description>Ignore SSH failures originating from scanner</description> > </rule> > </group> > > If I run the above log line thru the ossec-logtest application, it > definately shows that rule 100035 is hit, and it becomes a level 0. > However, if I restart the OSSEC on the server, and trigger another scan, I > start seeing alerts from SID 2502 coming into email still. I can not for > the life of me figure out what is going on - I've had good luck making these > types of exclusion rules in the past, and I'm copying my work from previous > working exclusions. >
When you restart the OSSEC processes on the server, stop them and make sure they all stop. Then start them up again. > Anyone got any suggestions? > > Thanks! > > Jeremy Utley > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
