This topic was addressed on the list earlier this year, but I had a
specific question in regards to how I'm implementing it.
Based upon the suggestions in the email archive, a howto on this topic and
the documentation on ossec.net, I added the following rule to
/var/ossec/rules/local_rules.xml which should be pretty self-explanatory.
<rule id="100002" level="0">
<srcip>192.168.1.209</srcip>
<description>Ignore the local vulnerability scanner</description>
</rule>
After I restarted OSSEC, vulnerability scans kept producing a flood of
alerts and emails. I ran some of the log lines produced through
/var/ossec/bin/ossec-logtest like this one:
Jul 17 23:33:06 web1 sshd[12133]: Invalid user OPERATOR from 192.168.1.209 port
36916
And I got:
**Phase 1: Completed pre-decoding.
full event: 'Jul 17 23:33:06 web1 sshd[12133]: Invalid user OPERATOR
from 192.168.1.209 port 36916'
hostname: 'web1'
program_name: 'sshd'
log: 'Invalid user OPERATOR from 192.168.1.209 port 36916'
**Phase 2: Completed decoding.
decoder: 'sshd'
srcip: '192.168.1.209'
**Phase 3: Completed filtering (rules).
Rule id: '5710'
Level: '5'
Description: 'Attempt to login using a non-existent user'
**Alert to be generated.
So obviously my ignore rule is not working. I
checked https://www.ossec.net/docs/docs/syntax/head_rules.html and it
pretty clearly says:
First, the rules with 0 levels are tried, and then all the other rules in a
decreasing order by their level.
So it appears I've done everything right, but it's not working. Looking at
the suggestions on how to do this on this list and elsewhere, I decided to
add a level check and changed the rule to this:
<rule id="100002" level="0">
<srcip>192.168.1.209</srcip>
<if_level>1</if_level>
<description>Ignore the local vulnerability scanner</description>
</rule>
And now on the same log line I get this:
**Phase 1: Completed pre-decoding.
full event: 'Jul 17 23:33:06 web1 sshd[12133]: Invalid user OPERATOR
from 192.168.1.209 port 36916'
hostname: 'web1'
program_name: 'sshd'
log: 'Invalid user OPERATOR from 192.168.1.209 port 36916'
**Phase 2: Completed decoding.
decoder: 'sshd'
srcip: '192.168.1.209'
**Phase 3: Completed filtering (rules).
Rule id: '100002'
Level: '0'
Description: 'Ignore the local vulnerability scanner'
And the system no longer generates alerts and emails form the scan.
My question is, is this a bug or did I miss something in the documenation
that says srcip alone isn't enough to create a rule match (or a level 0
rule match) or have I done something else boneheaded? I saw in other
examples that if_sid will also make a srcip level 0 match work so are there
particular combinations that work or is there a reason srcip alone isn't
sufficient (or, as I said, is this just a bug)?
I'm running version 3.6.0 installed from the source tarball off the
ossec.net website.
Any suggestions or advice would be appreciated.
Thanks,
Scott
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/d8e4c109-89d0-43dc-babe-0cd61bb8458bo%40googlegroups.com.
