Hey guys!
I'm trying to filter rule 18154 by not sending email alerts for certain
hosts. I've tried several ways to filter this in the local_rules.xml file.
*1) *
<var name="MS_FREQ">6</var>
<group name="windows,">
<rule id="18154" level="10" frequency="$MS_FREQ" timeframe="240">
<if_matched_sid>18103</if_matched_sid>
<match>*ip_address*</match> //I've also replaced this with srcip
<match>*ip_address*</match> //I've also replaced this with srcip
<options>no_email_alerts</options>
<description>Multiple Windows error events.</description>
</rule>
</group>
*2)* I've created my own rule
<var name="MS_FREQ">6</var>
<group name="windows,">
<rule id="100000" level="0" frequency="$MS_FREQ" timeframe="240">
<if_matched_sid>18103</if_matched_sid>
<match>*ip_address*</match> //I've also replaced this with srcip
<match>*ip_address*</match> //I've also replaced this with srcip
<description>Multiple Windows error events.</description>
</rule>
</group>
*3) *
<group name="windows,">
<rule id="100000" level="0">
<if_matched_sid>18154</if_matched_sid>
<match>*ip_address*</match> //I've also replaced this with srcip
<match>*ip_address*</match> //I've also replaced this with srcip
<description>Multiple Windows error events.</description>
</rule>
</group>
Does the group name matter? Do I need to decode srcip? I have the general
idea on how to filter rules in general for all hosts, but I can't seem to
get it to work for specific hosts.
Thanks!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
