• Support
  • Forums
  • Blogs

Permanent posts from ossec and SHHd from alienvault server

sergunzsergunz

Big Time
+1
Good day!
In OSSIM 4.7.0, I have in Analysys --- SIEM very much unnecessary information from ossec and SSHd from the server on which installed OSSIM.
For example, these messages are constantly coming:
ossec: Login session opened.
ossec: Login session closed.
and so, every minute:

99% of the information is such a "waste"
If look in alert ossec: Login session opened:

This is clearly what that system processes, no one man login to the server with OSSIM.
Moreover, such a situation was before, with other versions of OSSIM, on other servers. I just turned a blind eye to it.
How can I fix this, probably need to disable ossec agent on the server with OSSIM. Why did not it go out of the box?
How to properly remove it?
What about SSHd? From him also a lot of "garbage", every minute:


Tagged:

Share post:

Best Answers

  • Answer ✓
    hi,

    you can create a policy rules to remove them from the list of events
  • Answer ✓
    @sergunz

    It is not a action. It's a setting under SIEM when you are creating a policy. Simply change it from yes to no and then it wont appear in your siem.

Answers

  • Please help to configure policy rules, I can not understand how to do it correctly.
    For example, i have this events:

    In event:

    and


    Then, i go to Configuration-Threat Intelligence, make new policy.
    What choose as Source in my case?
    What choose in Event Types? I create new, called it ossec-av, like this:


    And what to do next I do not know. The idea is to create a new action that will block this events frome SIEM. How? In action there is no actions with block or something similar, there is only 3 type of actions: 1. send email, 2. execute program and 3. open ticket. What should choose me?
  • edited July 2014

    I corrected this (in 4.8 YMMV)by editing the following file:

    In file /etc/ossim/agent/plugins/ossec-single-line.cfg
    Comment out the following lines:
    5501=7009
    5502=7001
    5715=7009

    Comment out the entire section for these events:
    [0003 - PAM Login Success]
    [0006 - SSH Authentication Sucess / SSH Multiple authentication failures followed by a success]


    In file /etc/ossim/agent/plugins/ossec-idm-single-line.cfg
    Comment out the entire section for these events:
    [OSSEC - IDM 04]
    [OSSEC - IDM 05]
    [OSSEC - IDM 06]
    [OSSEC - IDM 07]

    Then run:
    /etc/init.d/ossim-agent restart ; /etc/init.d/ossim-server restart



    I do still get a considerable number of "sudo to ROOT" entries, which I do want to see, but I do get more then 600 each day for an AV process run by user "avidm". I don't really care about these but I do want to see all other users who "sudo".

    I'm still digging around to figure a fix for this, if I get one going I'll post it back here.
  • I am able to keep the excessive avidm suso entries by adding the following to /var/ossec/rules/local_rules.xml:
    <group name="syslog,sudo">
    <rule id="109000" level="0">
    <if_sid>5402</if_sid>
    <match>avidm</match>
    <description>Ignore SUDOs from user avidm</description>
    </rule>
    </group> <!-- SYSLOG, SUDO -->
    Then restart OSSEC:
    sudo /var/ossec/bin/ossec-control stop
    sudo /var/ossec/bin/ossec-control start
  • edited July 2014
    Hey @PacketInspector‌,
    Should the post you linked to also take care of the ossec events, or just events coming in through auth.log? I worked on this last week, and it did decrease much of the traffic I was seeing, but the ossec events kept coming. I'm just wondering if I didn't configure something right.

    Thanks!
This discussion has been closed.