Disable OSSEC email for SSH maximum authentication attempts

Question

I try to disable the email notifications for the OSSEC rule 5758.

<rule id="5758" level="8">
<decoded_as>sshd</decoded_as>
<match>^error: maximum authentication attempts exceeded </match>
<description>Maximum authentication attempts exceeded.</description>
<group>authentication_failed,</group>
</rule>

In /var/ossec/rules/local_rules.xml I added this custom rule:

<rule id="100002" level="8">
<if_sid>5758</if_sid>
<description>No mail for max auth SSH</description>
<options>no_email_alert</options>
</rule>

But this rule has no effect.

Tux_DEV_NULL · Accepted Answer · 2018-04-24T13:17:46.987

You need <rule id="5758" level="0">

Level 0 means ignored/no action taken. It will still scan the file. I have this in my /var/ossec/rules/sshd_rules.xml. Just change the level to zero. If you want to keep the local changes in a different file then you can this in the local_rules.xml file which is probably a better way to manage this. Basically keep the original rule in sshd_rules.xml then overwrite it via local rules.

the main rule in /sshd_rules.xml:

 <rule id="5758" level="8">
    <decoded_as>sshd</decoded_as>
    <match>^error: maximum authentication attempts exceeded </match>
    <description>Maximum authentication attempts exceeded.</description>
    <group>authentication_failed,</group>
  </rule>

and then in local_rules:

   <rule id="100002" level="0">
<if_sid>5758</if_sid>
<description>No mail for max auth SSH</description>
<options>no_email_alert</options>
</rule>

Can you show me the complete rule, i have to create in /var/ossec/rules/local_rules.xml? — Dave, Apr 24 '18 at 12:25
I added some more information in the original answer. Hope this helps. — Tux_DEV_NULL, Apr 24 '18 at 13:18

Disable OSSEC email for SSH maximum authentication attempts

1 Answers1