Ignore Rule
79 views
Skip to first unread message
luqman azad
Oct 7, 2024, 6:16:10 AMOct 7
to Wazuh | Mailing List
Hi,
I have a task that I want to ignore any SSH attempt when an agent try to ssh on itself, and even the password was wrong or right same thing for username also, so I mean it should ignore when Source IP and Destination IP are same, and do not send log to Wazuh Dashboard.
Thanks for Helping
Thanks for Helping
Olusegun Adenrele Oyebo
Oct 7, 2024, 8:55:24 AMOct 7
to Wazuh | Mailing List
Hello Luqman,
To achieve your goal, you can create exclusion rules for all the alerts relating to SSH attempt with same source and destination IP address if you don't want to see them. For example:
To achieve your goal, you can create exclusion rules for all the alerts relating to SSH attempt with same source and destination IP address if you don't want to see them. For example:
<var name="same_ip">192.168.227.104</var>
<group name="sshd,">
<rule id="100011" level="0">
<if_sid>5710</if_sid>
<srcip>$same_ip</srcip>
<dstip>$same_ip</dstip>
<description>Ignore if source and destination IP are the same</description>
</rule>
</group>
Note that when level is set to 0, this will prevent the alert from being triggered:
Also note that you'll also need to make adjustment to the rule based on your SSH logs. You can check the below link for more information on Wazuh rules:
I hope this helps. We remain attentive to your queries.
Best regards.
luqman azad
Oct 7, 2024, 9:28:06 AMOct 7
to Wazuh | Mailing List
Thanks for responding, but what if we have like 100 agents, it is not flexible to add all IPs as variable.
Olusegun Adenrele Oyebo
Oct 10, 2024, 7:41:46 AMOct 10
to Wazuh | Mailing List
Hello Luqman,
In this case, you can make use of CDB lists. Using this method, you can create the list of IP addresses that match this criteria and store in a file. The format for CDB list is a unique key followed by colon : separator
In this case, you can make use of CDB lists. Using this method, you can create the list of IP addresses that match this criteria and store in a file. The format for CDB list is a unique key followed by colon : separator
key1:
key2:
key2:
In your case, if you want to put a range of IP addresses, below is an example:
- 192.168.:
When you add the above example key, it means you're adding a list of IP addresses with CIDR notation of 192.168.0.0/16 which have a range 192.168.0.0 - 192.168.255.255. You can check the below link for more information on this:
I hope this helps you. We remain attentive to your queries.
Best regards.
luqman azad
Oct 11, 2024, 4:49:16 PMOct 11
to Wazuh | Mailing List
Hello Olusegun,
Thank you for help, I tried it and it work.
Reply all
Reply to author
Forward
0 new messages