[ossec-list] Re: SSH Brute Force Attacks and Alerting

[tommymay@xxxxxxxxxxx (Tommy May)]

This was very helpful to me....(thanks to Daniel Cid)

http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules

This isn't just to ignore rules...this also tells you that you can ignore all rules "unless it matches a very specific pattern".

Hope this is helpful.

Tommy

 -------------- Original message ----------------------
From: Ben Ruset <ben.ruset@xxxxxxxxxxx>
> 
> Please forgive me in advance if this is too much of a newbie question.
> 
> I have OSSEC configured with four agents and a server. I am getting 
> bombarded with alerts about ssh brute force attacks. I'm pretty sure 
> that any host connected to the internet that runs some form of ssh 
> daemon gets brute force attempts all the time, and as such I am not 
> terribly concerned.
> 
> What I'm finding, though, is that it's hard to deal with legitimate 
> alerts when there are so many alerts generated for attempted ssh logins.
> 
> My config has this:
> 
>    <alerts>
>      <log_alert_level>1</log_alert_level>
>      <email_alert_level>7</email_alert_level>
>    </alerts>
> 
> which I presume to be "don't email me about events >7." Well, all of my 
> ssh alerts register at level 10.
> 
> Ideally, I'd only like to get alerts from when someone logs into the 
> system (these aren't shell boxes for people, so it's semi unusual for 
> people to log into them) or alerted based on brute force + successful 
> login as seen here: (http://www.ossec.net/en/loganalysis.html#auth4)
> 
> Do I have a flawed understanding of how the rule alerting works? Is 
> there something I need to configure specifically to change OSSEC's sshd 
> rules to only alert me on login and/or on brute force + successful login?
> 
> Thanks,
> 
> -ben