Here's an alert example. These are about the most annoying. Edited... OSSEC HIDS Notification. 2006 Sep 07 14:11:02 Received From: ***-PIX-1->/mnt/logdisk/***-PIX-1/***-PIX-1.log Rule: 4381 fired (level 10) -> "Multiple PIX critical messages." Portion of the log(s):%PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on interface vpn %PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on interface vpn %PIX-2-106006: Deny inbound UDP from ***/54481 to ***/1026 on interface vpn %PIX-2-106006: Deny inbound UDP from ***9/20031 to ***/20031 on interface vpn %PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on interface vpn %PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on interface vpn %PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on interface vpn
Log samples are a different story. They are very verbose, I think I need to crank some stuff down and am researching how to do so. I already went from "logging trap debugging" to "logging trap informational" and that didn't seem to help.
On Sep 7, 2006, at 2:05 PM, Daniel Cid wrote:
Hi Erick, Can you show us a few of these alerts and a sample of your pix logs? I made some changes to the pix rules and maybe I broke something in the middle. In addition to that, we have a small document in the wiki on how to ignore specific rules ... http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/7/06, Erick Kinnee <ekinnee@xxxxxxxxxxxx> wrote:Have we come up with a workable way to suppress or threshold down alerts for certain devices? I have several PIXes sending syslogs to the OSSEC box and I'm being flooded with alerts. There were 139 of them last night for one PIX as it was doing what it's supposed to and dropping traffic based on ACLs. Maybe I need to turn something down on the PIX? I do have it configured with "logging trap debugging".