Is it possible to add exclusions for specific hosts/agents

Support/Development for OSSEC
cctgteddy
New Forum User
New Forum User
Posts: 1
Joined: Fri May 07, 2021 8:35 am

Is it possible to add exclusions for specific hosts/agents

Unread post by cctgteddy »

Hi,
we are piloting OSSEC install, we have a server set up with several agents in place. Trying to filter out the "white noise" to get it down to a normal state.
All these servers are Linux hosts running SSH, however only one of them is publicly accessible.

I'd like to add an exclusion rule for this and a few others, but only on this one host. This is completely normal and expected, we do have fail2ban installed as well on all hosts to block after a number of failed attempts.

We will of course be investigating a way to have OSSEC warn of of successes which is actually more concerning.

Received From: (hostname) 1.2.3.4 ->/var/log/secure
Rule: 2502 fired (level 10) -> "User missed the password more than one time"
Src IP: 221.181.185.19
User: root
Portion of the log(s):

May 7 05:24:12 hostname sshd[31009]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.181.185.19 user=root
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Is it possible to add exclusions for specific hosts/agents

Unread post by mikeshinn »

Yes you can, you do at the rule level after the rule thats been triggered. Its a match basically, and change whatever you need to change.

For example, to lower the level to 0 for that agent for an entire group:

<rule id=12345 level="0">
<if_group>syscheck</if_group>
<hostname>some_agents_name</hostname>
<description>Disable rule 12345 for some_agent</description>
</rule>

That would disable syscheck for that agent. You could do any kind of exclusion you want, exclude a specific ID, multiple IDs, only during specific times of day, from a specific IP, GEO, or any other combination of criteria. Really anything you can do with a rule, just adding hostname (the agents name) as your matching criteria.
Post Reply