I think in your alerts, you should retrieve the source IP. So, if you write a local alert with the tag match, it could be a solution for you, no ? Of course, you have to include all alerts causing by this ip in the rule.... Not perfect..
On Wed, 3 Oct 2007 10:34:24 +1000, <[EMAIL PROTECTED]> wrote: > > Hi all, > > this might be simple but I can't find a reference to it. > > I'd like to exclude one source IP (or maybe its whole C-class) from > being alerted on. > > (This host often runs nessus scans, causing all sorts of alerts on the > apache servers). > > It looks like the <white_list> tag in ossec.conf is only for active > response, not alerting. > > So I suppose some condition should go into local_rules.xml. But what? > > There should be an <if_srcip> tag to make an exemption based on > address(es), but there is no such tag. > > How could a source IP be completely excluded from alerting? > > Thanks, > Kal > > > Kalman Dee > Canberra, Australia > > > !DSPAM:47036c68253762961610759!
