Hi Steve, A simple way to ignore these logs is with the following rule:
<rule id="100101" level="0"> <if_sid>1002</if_sid> <program_name>^sshd</program_name> <match>error: channel_setup_fwd_listener|error: bind: Address already in</match> <description>SSHD events ignored</description> </rule> Just add it to your local_rule.xml (under the "group" section) and restart ossec. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 6/26/07, Steve Johnson <[EMAIL PROTECTED]> wrote: > > Hi, > > Thanks a lot for the offers. There are 2 messages that are generated > when that happens. Here's an example of the messages below: > > sshd[25624]: error: channel_setup_fwd_listener: cannot listen to port: > sshd[25624]: error: bind: Address already in use > > The only thing that changes is the PID of the SSHd. > > Thanks again, > Steve Johnson > > Daniel Cid wrote: > > Hi Steve, > > > > A lot of people have problems finding stuff on our wiki, but we plan to keep > > improving it (and any help is welcome). As Michael said, you can send the > > log > > entries to the list so we can help you out or you use the following > > documents > > from our FAQ: > > > > http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules > > http://www.ossec.net/wiki/index.php/Know_How:CorrelateSnort > > > > Also, my presentation at AusCERT/Confidence can be of help too: > > > > http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf > > > > Hope it helps, > > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > > > > > > On 6/21/07, Steve Johnson <[EMAIL PROTECTED]> wrote: > > > >> Hi, > >> > >> There is a syslog message that triggers rule 1002 for syslog, which is > >> about alerting on certain keyword. The message happens when we try to > >> set an ssh tunnel when the port has already been used by someone else > >> and has the keyword "error" generated by sshd. I don't want to remove > >> the keyword from rule 1002 or even less ignore the rule completely, but > >> I was wondering if there was a way to whitelist certain specific syslog > >> messages? I could not find the information in the wiki, so I hope I > >> didn't just overlook it :-) > >> > >> Thanks, > >> Steve Johnson > >> > >> > >
