[ossec-list] Re: Disable Email Alerts from a particular source ip

Tue, 01 Mar 2016 14:29:27 -0800 

You also might try using a pipe (or).  I use this for <match> to omit 
alerts from certain addresses.

<rule id="100001" level="0">
    <if_level>7</if_level>
    <srcip>192.168.2.1|192.168.2.2</srcip>
    <description>Ignoring rule any level above 7 from ip X.</description>
</rule>

On Tuesday, March 1, 2016 at 8:12:13 AM UTC-8, Jesus Linares wrote:
>
> Hi,
>
> I think your rule is proper. You can add another srcip field if you want:
>
> <rule id="100001" level="0">
>     <if_level>7</if_level>
>     <srcip>192.168.2.1</srcip>
>     <srcip>192.168.2.2</srcip>
>     <description>Ignoring rule any level above 7 from ip X.</description>
> </rule>
>
> If you want to send emails for severities above X level, you can use this 
> configuration:
>
> <ossec_config>
>     <alerts>
>         <email_alert_level>X</email_alert_level>
>     </alerts>
> </ossec_config>
>
> Level 7 is the minimum alert level to send e-mail notifications.
>
> Documentation: 
> http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.alerts.html#element-email_alert_level
>
> Also, check out this: 
> http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.email_alerts.html#element-level
>
> *<alerts><email_alert_level> *overrides granular email alert levels: 
> <email_alerts><level>. Individual rules can override this with the 
> *alert_by_email 
> *option.
>
> Regards.
> Jesus Linares.
>
>
>
> On Tuesday, March 1, 2016 at 3:02:19 PM UTC+1, calvin ratti wrote:
>>
>> Hi,
>>
>> I have a VA scanner which I have added in the Whitelist to prevent Active 
>> Response from blocking the scans. What I also understand from here is that 
>> to prevent email alerts, I should create a custom rule. Is the following 
>> syntax proper or am i missing something:
>>
>> <rule id=“100001” level=“0”>
>> <if_level>7</if_level>
>> <srcip>1.2.3.4/24</srcip>
>> <description>Ignoring rule any level above 7 from Whitelisted 
>> IPs</description>
>> </rule>
>>
>> rule id is unique, we have configured to send email alerts only for level 
>> 7 & above. 
>>
>> -Cal
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to