[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: SSH Brute Force Attacks and Alerting

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: SSH Brute Force Attacks and Alerting
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Wed, 2 May 2007 23:11:39 -0300
Cc: "Ben Ruset" <ben.ruset@xxxxxxxxxxx>
Content-disposition: inline
Content-transfer-encoding: 7bit
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=l5zRxattf9Kyq2VBitCk9WuH5XZVfxXfVEjsR4HYnaxKD0YMhRSIprIS+3UydJaYcJa/uut9hmGKEAzoxLD/1jRwmkg87g8YLuCyeKJqANxzuFBx8d40mcbntDYoMLO6LdjPNvvltJIn0jNxa6J2Q/prs374mZuT2Pq8J7ww9lA=


Hi Ben,

On ossec, level 1 is the least severe and level 15 the highest one. Basically,
in your configuration you are alerting on everything higher and equal
to level 7.

If you don't want to receive e-mail alerts from these rules, you have
three options:

-Reduce the level from them (see link that Tommy suggested).
-Set no_email_alert option on the rule*.
-Increase the e-mail alerting level (to 11 or higher).

*http://www.ossec.net/en/manual.html#rules

Example of setting the no_email_alert option:

 <rule id="5712" level="10" frequency="6" timeframe="120" ignore="60">
   <if_matched_sid>5710</if_matched_sid>
   <description>SSHD brute force trying to get access to </description>
   <description>the system.</description>
   <options>no_email_alert</options>
   <group>authentication_failures,</group>
 </rule>

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 5/2/07, Ben Ruset <ben.ruset@xxxxxxxxxxx> wrote:

Well, am I right in assuming that the config should stop all rules
greater than level 7 from being emailed?

Is rule level 1 more servere than rule level 16?

Thanks,
-ben

Tommy May wrote:
> This was very helpful to me....(thanks to Daniel Cid)
>
> http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
>
> This isn't just to ignore rules...this also tells you that you can ignore all rules "unless it matches a very specific pattern".
>
> Hope this is helpful.
>
> Tommy

References:
- [ossec-list] Re: SSH Brute Force Attacks and Alerting
  - From: Tommy May
- [ossec-list] Re: SSH Brute Force Attacks and Alerting
  - From: Ben Ruset

Prev by Date: [ossec-list] Re: [ossec-dev] Possible rootkit false positive for Debian? - Advice
Next by Date: [ossec-list] "Invalid hostname in syslog message:"
Previous by thread: [ossec-list] Re: SSH Brute Force Attacks and Alerting
Next by thread: [ossec-list] Possible rootkit false positive for Debian? - Advice
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.