You also might try using a pipe (or). I use this for <match> to omit alerts from certain addresses.
<rule id="100001" level="0"> <if_level>7</if_level> <srcip>192.168.2.1|192.168.2.2</srcip> <description>Ignoring rule any level above 7 from ip X.</description> </rule> On Tuesday, March 1, 2016 at 8:12:13 AM UTC-8, Jesus Linares wrote: > > Hi, > > I think your rule is proper. You can add another srcip field if you want: > > <rule id="100001" level="0"> > <if_level>7</if_level> > <srcip>192.168.2.1</srcip> > <srcip>192.168.2.2</srcip> > <description>Ignoring rule any level above 7 from ip X.</description> > </rule> > > If you want to send emails for severities above X level, you can use this > configuration: > > <ossec_config> > <alerts> > <email_alert_level>X</email_alert_level> > </alerts> > </ossec_config> > > Level 7 is the minimum alert level to send e-mail notifications. > > Documentation: > http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.alerts.html#element-email_alert_level > > Also, check out this: > http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.email_alerts.html#element-level > > *<alerts><email_alert_level> *overrides granular email alert levels: > <email_alerts><level>. Individual rules can override this with the > *alert_by_email > *option. > > Regards. > Jesus Linares. > > > > On Tuesday, March 1, 2016 at 3:02:19 PM UTC+1, calvin ratti wrote: >> >> Hi, >> >> I have a VA scanner which I have added in the Whitelist to prevent Active >> Response from blocking the scans. What I also understand from here is that >> to prevent email alerts, I should create a custom rule. Is the following >> syntax proper or am i missing something: >> >> <rule id=“100001” level=“0”> >> <if_level>7</if_level> >> <srcip>1.2.3.4/24</srcip> >> <description>Ignoring rule any level above 7 from Whitelisted >> IPs</description> >> </rule> >> >> rule id is unique, we have configured to send email alerts only for level >> 7 & above. >> >> -Cal >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.