Ozgur, this ruletree should get you there if I understood your question correctly :
<rule id="100105" level="3"> <if_level>3</if_level> <user>xxxx</user> <description>Ignoring user xxxx</description> </rule> <rule id="100107" level="0"> <if_sid>100105</if_sid> <srcip>yyyy</srcip> <description>ignoring user xxxx from host yyyy</description> </rule> KR, W On 17 Mar 2010, at 16:39, Ozgur Ozdemircili wrote: > Hi, > > As a part of our monitorization system we have a monitorization server that > is accessing the servers using xxxx user.Every minute this users are > entering the servers and checking the system healh. Until here everything ok. > As a part of cleaning the alerts Im receiving from ossec I added the > following parameters to local_rules.xml, which ignores user xxxx and ip yyyy. > > --- Ignore user xxxx -- > > <group name="local"> > <rule id="100105" level="0"> > <if_level>3</if_level> > <user>xxxx</user> > <description>Ignoring user xxxx</description> > </rule> > > > <rule id="100106" level="0"> > <if_level>3</if_level> > <match>xxxx</match> > <description>Ignoring user xxxx</description> > </rule> > </group> > > > -- Ignore ip yyyy -- > > <group name="local"> > <rule id="100107" level="0"> > <if_level>3</if_level> > <srcip>yyyy</srcip> > <description>yyyy</description> > </rule> > > > <rule id="100108" level="0"> > <if_level>3</if_level> > <match>yyyy</match> > <description>yyyy</description> > </rule> > </group> > > > That working just fine. Now the question is. How can I ignore alerts IF the > xxxx user is accessing from yyyy host ONLY! In other words if someone from > different ip users xxxx user to enter the servers, I want to get alerts. > > Hope it was informative enough. > > Thanks > > > > Özgür Özdemircili > http://www.acikkod.org > Code so clean you could eat off it
