Hi all, this might be simple but I can't find a reference to it.
I'd like to exclude one source IP (or maybe its whole C-class) from being alerted on. (This host often runs nessus scans, causing all sorts of alerts on the apache servers). It looks like the <white_list> tag in ossec.conf is only for active response, not alerting. So I suppose some condition should go into local_rules.xml. But what? There should be an <if_srcip> tag to make an exemption based on address(es), but there is no such tag. How could a source IP be completely excluded from alerting? Thanks, Kal Kalman Dee Canberra, Australia
