Hello, let me try make myself understod. So i've got the part to ignore/exclude an specific IP to work, thats no problem. However, here's my issue/problem I'd like to solve.
<rule id="100200" level="0"> <if_level>7</if_level> <srcip>cronjobIP</srcip> <description>Ignorning cronjobIP</description> </rule> 1. Ignore specific IP which run regular cronjob's and utilizes SSH (done). 2. The SSH rule triggers rule 5501, session opened for user X (in this case the IP which I want to ignore). 3. The SSH rule triggers rule 5502, session closed for user X (in this case the IP which I want to ignore). So, my question - beside ignoring the specific IP for rule 5715 (SSHD authentication success), is there a way prevent in step 1 to trigger step 2 and 3? One option would obviously be to ignore the user and create a specific user for the certain cronjob. Kind regards, Fredrik -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
