Hi Kalman, A simple way to solve this is by creating a local rule ignoring whenever this ip is present in the log (in this case for every alert above level 6):
<group name="local"> <rule id="100101" level="0"> <if_level>6</if_level> <match>ip.address</match> <description>Events ignored from ip</description> </rule> </group> You can also use <srcip>ip address</srcip>, but in some cases it may not be decoded. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 10/2/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Hi all, > > this might be simple but I can't find a reference to it. > > I'd like to exclude one source IP (or maybe its whole C-class) from > being alerted on. > > (This host often runs nessus scans, causing all sorts of alerts on the > apache servers). > > It looks like the <white_list> tag in ossec.conf is only for active > response, not alerting. > > So I suppose some condition should go into local_rules.xml. But what? > > There should be an <if_srcip> tag to make an exemption based on > address(es), but there is no such tag. > > How could a source IP be completely excluded from alerting? > > Thanks, > Kal > > > Kalman Dee > Canberra, Australia > >
