Hi Dave, Our wiki has some examples on how to ignore a specific IP address. The whitelist is only used for the active response, not for the alerts itself.
Link: http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules#Ignoring_a_specific_IP Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Jan 11, 2008 10:22 AM, Dave Rutlidge <[EMAIL PROTECTED]> wrote: > > We receive a lot of files from an automated system which makes a new ftp > connection for each file. Rule 11452 fires (as it should) when we get 10 > successive logins. I've added the client IP to the whitelist so they don't > get blocked, but now I get LOADS of emails and alerts telling me that I'm > getting "Multiple FTP connection attempts from same source IP". > > How can I fix this? > > I know I can remove the alert, but generally it's a good rule, so I don't > want to do that. I'd be happy to get one email / alert per day for a given > rule/srcip, but not one every few seconds. > > Ideally, if a source IP is white listed, I'd rather not get emails / alerts. >