[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Whitelisting specific syslog message

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Whitelisting specific syslog message
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Wed, 27 Jun 2007 23:15:25 -0300
Cc: "Steve Johnson" <maillist@xxxxxxxxxxxxx>
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=AsIT/1elmPkwyvgQV4L8yAICjwc/MYuLKQjGtQZEMtwlVuUnDpT4W1WrrK0WGpK/to/x2pNQuF/D9wWHZA+Le9DMADa6AqK1VwgKy9QgT/rX0WcqLheHrUyzVPHxXZlE/qD0uAywZ9iHtjmGqY7/zOcEl+e1n3hEguZUVEtEBiQ=

Hi Steve,

A simple way to ignore these logs is with the following rule:

<rule id="100101" level="0">
   <if_sid>1002</if_sid>
   <program_name>^sshd</program_name>
   <match>error: channel_setup_fwd_listener|error: bind: Address
already in</match>
   <description>SSHD events ignored</description>
 </rule>

Just add it to your local_rule.xml (under the "group" section) and
restart ossec.

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net


On 6/26/07, Steve Johnson <maillist@xxxxxxxxxxxxx> wrote:
>
> Hi,
>
> Thanks a lot for the offers. There are 2 messages that are generated
> when that happens. Here's an example of the messages below:
>
> sshd[25624]: error: channel_setup_fwd_listener: cannot listen to port:
> sshd[25624]: error: bind: Address already in use
>
> The only thing that changes is the PID of the SSHd.
>
> Thanks again,
> Steve Johnson
>
> Daniel Cid wrote:
> > Hi Steve,
> >
> > A lot of people have problems finding stuff on our wiki, but we plan to keep
> > improving it (and any help is welcome). As Michael said, you can send the log
> > entries to the list so we can help you out or you use the following documents
> > from our FAQ:
> >
> > http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
> > http://www.ossec.net/wiki/index.php/Know_How:CorrelateSnort
> >
> > Also, my presentation at AusCERT/Confidence can be of help too:
> >
> > http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
> >
> > Hope it helps,
> >
> > --
> > Daniel B. Cid
> > dcid ( at ) ossec.net
> >
> >
> >
> > On 6/21/07, Steve Johnson <maillist@xxxxxxxxxxxxx> wrote:
> >
> >> Hi,
> >>
> >> There is a syslog message that triggers rule 1002 for syslog, which is
> >> about alerting on certain keyword. The message happens when we try to
> >> set an ssh tunnel when the port has already been used by someone else
> >> and has the keyword "error" generated by sshd. I don't want to remove
> >> the keyword from rule 1002 or even less ignore the rule completely, but
> >> I was wondering if there was a way to whitelist certain specific syslog
> >> messages? I could not find the information in the wiki, so I hope I
> >> didn't just overlook it :-)
> >>
> >> Thanks,
> >> Steve Johnson
> >>
> >>
>
>

References:
- [ossec-list] Whitelisting specific syslog message
  - From: Steve Johnson
- [ossec-list] Re: Whitelisting specific syslog message
  - From: Daniel Cid
- [ossec-list] Re: Whitelisting specific syslog message
  - From: Steve Johnson

Prev by Date: [ossec-list] Re: custom rule alert for windows installer
Next by Date: [ossec-list] Re: Windows eventlog NTDS.evt logging
Previous by thread: [ossec-list] Re: Whitelisting specific syslog message
Next by thread: [ossec-list] Windows eventlog NTDS.evt logging
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.