I did end up creating a specific crontab user for remote ssh connections, and here's the way I did exclude it from alerts if anyone else is interested.
<rule id="100202" level="3"> <if_sid>5501</if_sid> <match>USERNAME</match> <options>no_email_alert</options> <description>Ignore rule 5501 for scheduled crontab user </description> </rule> Kind regards, Fredrik Den måndag 29 maj 2017 kl. 09:52:41 UTC+2 skrev Fredrik Hilmersson: > > Hello, let me try make myself understod. So i've got the part to > ignore/exclude an specific IP to work, thats no problem. However, here's my > issue/problem I'd like to solve. > > <rule id="100200" level="0"> > <if_level>7</if_level> > <srcip>cronjobIP</srcip> > <description>Ignorning cronjobIP</description> > </rule> > > 1. Ignore specific IP which run regular cronjob's and utilizes SSH (done). > 2. The SSH rule triggers rule 5501, session opened for user X (in this > case the IP which I want to ignore). > 3. The SSH rule triggers rule 5502, session closed for user X (in this > case the IP which I want to ignore). > > So, my question - beside ignoring the specific IP for rule 5715 (SSHD > authentication success), is there a way prevent in step 1 to trigger step 2 > and 3? > > One option would obviously be to ignore the user and create a specific > user for the certain cronjob. > > Kind regards, > Fredrik > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.