Filter out dynamic dns hostnames
46 views
Skip to first unread message
Herman Harperink
Aug 3, 2016, 1:48:09 AM8/3/16
to ossec-list
Hi all,
Can somebody hint me in the right direction on this?
I have two dynamic hosts with a ddns hostname and I don't want those to trigger events. But I can't find a way to do that anywhere.
Thanks in advance.
Herman
dan (ddp)
Aug 3, 2016, 8:48:06 AM8/3/16
to ossec...@googlegroups.com
something, maybe an example of what you don't want to see would help?
> Herman
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Herman Harperink
Aug 3, 2016, 9:07:27 AM8/3/16
to ossec...@googlegroups.com
Hi Dan,
When my phone / pc /ipad collects email I get an "dovecot authentication success" event. I could ignore this event by downrating it to zero in local_rules so it won't be logged, but I want to see all succesful authentications on my mailserver from hosts that are not my own (since I am the only one using it). Same goes for ftp, ssh etc
In case someone hacks my server, or steals my credentials that would light up on my dash.
In case someone hacks my server, or steals my credentials that would light up on my dash.
My home internet connection has a dynamic ip, but by using a dyndns provider (duckdns) I have a static own domainname. However, ossec lookups always return the dynamic hostname my provider gave me, and never my dyndns hostname since they don't update dns records (no authority).
If I lookup my dyndns hostname on my ossec manager I get my ip. But if I lookup my ip I get my providers hostname wich is not static.
So: connection from xxx.xxx.xxx.xxx resolves to dip-t-somewhat-hostname (within ossec). I am looking for a way to let ossec check if ip xxx.xxx.xxx.xxx is my myhost.duckdns.org hostname, and if it is, ignore the event.
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/6e9ehDQW_jE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
dan (ddp)
Aug 3, 2016, 10:16:39 AM8/3/16
to ossec...@googlegroups.com
On Wed, Aug 3, 2016 at 9:07 AM, Herman Harperink
<herman.h...@gmail.com> wrote:
> Hi Dan,
>
> When my phone / pc /ipad collects email I get an "dovecot authentication
> success" event. I could ignore this event by downrating it to zero in
> local_rules so it won't be logged, but I want to see all succesful
> authentications on my mailserver from hosts that are not my own (since I am
> the only one using it). Same goes for ftp, ssh etc
> In case someone hacks my server, or steals my credentials that would light
> up on my dash.
>
> My home internet connection has a dynamic ip, but by using a dyndns provider
> (duckdns) I have a static own domainname. However, ossec lookups always
> return the dynamic hostname my provider gave me, and never my dyndns
> hostname since they don't update dns records (no authority).
> If I lookup my dyndns hostname on my ossec manager I get my ip. But if I
> lookup my ip I get my providers hostname wich is not static.
>
> So: connection from xxx.xxx.xxx.xxx resolves to dip-t-somewhat-hostname
> (within ossec). I am looking for a way to let ossec check if ip
> xxx.xxx.xxx.xxx is my myhost.duckdns.org hostname, and if it is, ignore the
> event.
>
There is no facility to do DNS lookups in the analysis engine.
<herman.h...@gmail.com> wrote:
> Hi Dan,
>
> When my phone / pc /ipad collects email I get an "dovecot authentication
> success" event. I could ignore this event by downrating it to zero in
> local_rules so it won't be logged, but I want to see all succesful
> authentications on my mailserver from hosts that are not my own (since I am
> the only one using it). Same goes for ftp, ssh etc
> In case someone hacks my server, or steals my credentials that would light
> up on my dash.
>
> My home internet connection has a dynamic ip, but by using a dyndns provider
> (duckdns) I have a static own domainname. However, ossec lookups always
> return the dynamic hostname my provider gave me, and never my dyndns
> hostname since they don't update dns records (no authority).
> If I lookup my dyndns hostname on my ossec manager I get my ip. But if I
> lookup my ip I get my providers hostname wich is not static.
>
> So: connection from xxx.xxx.xxx.xxx resolves to dip-t-somewhat-hostname
> (within ossec). I am looking for a way to let ossec check if ip
> xxx.xxx.xxx.xxx is my myhost.duckdns.org hostname, and if it is, ignore the
> event.
>
Herman Harperink
Aug 3, 2016, 10:29:16 AM8/3/16
to ossec...@googlegroups.com
I know that, but maybe somebody know a way around that. Thats why I ask.There is always a way, and I will find it :-)
Thanks.
Reply all
Reply to author
Forward
0 new messages