On Feb 18, 2016 5:44 PM, "Jane Doe" <hadonad...@gmail.com> wrote: > > Hey guys! > > I'm trying to filter rule 18154 by not sending email alerts for certain hosts. I've tried several ways to filter this in the local_rules.xml file. > > 1) > > <var name="MS_FREQ">6</var> > > <group name="windows,"> > <rule id="18154" level="10" frequency="$MS_FREQ" timeframe="240"> > <if_matched_sid>18103</if_matched_sid> > <match>ip_address</match> //I've also replaced this with srcip > <match>ip_address</match> //I've also replaced this with srcip > <options>no_email_alerts</options> > <description>Multiple Windows error events.</description> > </rule> > </group> > > 2) I've created my own rule > > <var name="MS_FREQ">6</var> > > <group name="windows,"> > <rule id="100000" level="0" frequency="$MS_FREQ" timeframe="240"> > <if_matched_sid>18103</if_matched_sid> > <match>ip_address</match> //I've also replaced this with srcip > <match>ip_address</match> //I've also replaced this with srcip > <description>Multiple Windows error events.</description> > </rule> > </group> > > 3) > > <group name="windows,"> > <rule id="100000" level="0"> > <if_matched_sid>18154</if_matched_sid> > <match>ip_address</match> //I've also replaced this with srcip > <match>ip_address</match> //I've also replaced this with srcip > <description>Multiple Windows error events.</description> > </rule> > </group> > > > Does the group name matter? Do I need to decode srcip? I have the general idea on how to filter rules in general for all hosts, but I can't seem to get it to work for specific hosts. >
I think multiple matches not separated by a "|" will be ANDed together. Try it with 1 match option. Also, providing a log sample helps us test, and makes helping a lot easier. > Thanks! > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.