Samples? On Jun 22, 2012 4:36 PM, "Josh" <[email protected]> wrote:
> I have a customer who is trying to connect to an SFTP server I have set > up. Recently due to some organization changes on their end they are > initiating approx 30 separate SSH connections to my server in about 1 > minute. This triggers an alert for several "failed none" messages from the > IP address of my customers. The end result is AR blocks them because a rule > with severity of 12 gets launched, (multiple authentication failures > followed by a success) is there a way to filter out "failed none" messages > so that they do not get blocked by AR? I have already whitelisted them in > ossec.conf. >
