Hi, I think your rule is proper. You can add another srcip field if you want:
<rule id="100001" level="0"> <if_level>7</if_level> <srcip>192.168.2.1</srcip> <srcip>192.168.2.2</srcip> <description>Ignoring rule any level above 7 from ip X.</description> </rule> If you want to send emails for severities above X level, you can use this configuration: <ossec_config> <alerts> <email_alert_level>X</email_alert_level> </alerts> </ossec_config> Level 7 is the minimum alert level to send e-mail notifications. Documentation: http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.alerts.html#element-email_alert_level Also, check out this: http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.email_alerts.html#element-level *<alerts><email_alert_level> *overrides granular email alert levels: <email_alerts><level>. Individual rules can override this with the *alert_by_email *option. Regards. Jesus Linares. On Tuesday, March 1, 2016 at 3:02:19 PM UTC+1, calvin ratti wrote: > > Hi, > > I have a VA scanner which I have added in the Whitelist to prevent Active > Response from blocking the scans. What I also understand from here is that > to prevent email alerts, I should create a custom rule. Is the following > syntax proper or am i missing something: > > <rule id=“100001” level=“0”> > <if_level>7</if_level> > <srcip>1.2.3.4/24</srcip> > <description>Ignoring rule any level above 7 from Whitelisted > IPs</description> > </rule> > > rule id is unique, we have configured to send email alerts only for level > 7 & above. > > -Cal > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.