I have a customer who is trying to connect to an SFTP server I have set up.
Recently due to some organization changes on their end they are initiating
approx 30 separate SSH connections to my server in about 1 minute. This
triggers an alert for several "failed none" messages from the IP address of
my customers. The end result is AR blocks them because a rule with severity
of 12 gets launched, (multiple authentication failures followed by a
success) is there a way to filter out "failed none" messages so that they
do not get blocked by AR? I have already whitelisted them in ossec.conf.
