1

I try to disable the email notifications for the OSSEC rule 5758.

<rule id="5758" level="8">
<decoded_as>sshd</decoded_as>
<match>^error: maximum authentication attempts exceeded </match>
<description>Maximum authentication attempts exceeded.</description>
<group>authentication_failed,</group>
</rule>

In /var/ossec/rules/local_rules.xml I added this custom rule:

<rule id="100002" level="8">
<if_sid>5758</if_sid>
<description>No mail for max auth SSH</description>
<options>no_email_alert</options>
</rule>

But this rule has no effect.

1 Answer 1

1

You need <rule id="5758" level="0">

Level 0 means ignored/no action taken. It will still scan the file. I have this in my /var/ossec/rules/sshd_rules.xml. Just change the level to zero. If you want to keep the local changes in a different file then you can this in the local_rules.xml file which is probably a better way to manage this. Basically keep the original rule in sshd_rules.xml then overwrite it via local rules.

the main rule in /sshd_rules.xml:

 <rule id="5758" level="8">
    <decoded_as>sshd</decoded_as>
    <match>^error: maximum authentication attempts exceeded </match>
    <description>Maximum authentication attempts exceeded.</description>
    <group>authentication_failed,</group>
  </rule>

and then in local_rules:

   <rule id="100002" level="0">
<if_sid>5758</if_sid>
<description>No mail for max auth SSH</description>
<options>no_email_alert</options>
</rule>
2
  • Can you show me the complete rule, i have to create in /var/ossec/rules/local_rules.xml?
    – Dave
    Commented Apr 24, 2018 at 12:25
  • I added some more information in the original answer. Hope this helps. Commented Apr 24, 2018 at 13:18

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .