[Fork from 74788] Alarm suspension custom rules

[nikolaj]

Customer has an intrusion detection system, trying to log on to ESXi hosts. Each time ONE registers a failed login attempt, which is expected. But... since it is expected that the login will fail, the alarm is a false positive in a way. Could be helpful to create a custom alarm that excludes failed attempts from a certain IP address only, but triggers on everyone else. Still not 100%, because if someone finds a way to the IDS system, they could try indefinitely from there and no one would know.

[nikolaj]

@Matts N I forked your request from 74788 into a new topic, so we could track those separately.

Customer has an intrusion detection system, trying to log on to ESXi hosts.

Does this intrusion system work on a schedule? Or are those logon attempts happen at random?
If it's the former, you could probably suppress the alarm based on a schedule that can be configured on the Suppress tab in its settings:

[Matts N]

Hello Nikolaj,
I feel like a proper n00b when it comes to ONE.

I think it is set to a schedule, along the lines of "first Tuesday every month" or "Monday second week of month", but not sure. I will check with my customer regarding this. A suppression of the error is probably only half way there though, unless I can filter source of alarm. I don't want to suppress all alarms, only those triggered from a certain host. Even if the suppression only is for a few minutes, it could potentially still filter out a proper alarm.

[wishr]

Hi Matts,

Chiming in to say that you may create an alarm copy for that particular host by modifying the assignment scope and then suppress this during a required period of time.

Thanks

[Matts N]

Hello Fedor,
I think you got the problem backwards. I can assign an alarm to all or parts of the infrastructure, yes. But I do not wish to filter based on infrastructure, I want to filter based on what triggers the alarm in the first place, regardless of which part of the infrastructure is the target.

An example, hopefully understandable:
In my infrastructure I have hosts A, B, C, and D. Some external source, E, tries to logon to these hosts with invalid credentials, triggering the alarm "Bad Host username logon attempt". I want to filter this alarm based on that external source E, not if the alarm is triggered on host A, B, C, or D.

Cheers!

Edit: The reason for filtering on the external source is that it allows me to filter out a specific source instead of filtering out all sources during the period the alarm is suppressed.

[wishr]

Got it, thanks for clarifying. Currently, this is not possible and the workaround is to suppress the alarms during the period when the IDS is performing its login activities. We'll treat it as an FR.

To be honest, I've never seen an IDS trying to perform login attempts on the target system. Are you sure this is the case?

Thanks

[Matts N]

According to my customer they have a system that checks that it cannot log into their ESXi hosts using SSH (that is, is SSH running when it should not be?). It is this check that triggers the alarm for incorrect logon information on the ESXi hosts and since it is expected a false positive in ONE.