I found this but I don't want to have to list each IP address. Is there a
way to do a range?
Ignoring a specific IP
If you want to ignore a specific IP, say of your security scanner, you can
add a simple local rule
to ignore that ip (or list of IPs) for every alert.
1- Edit /var/ossec/rules/local_rules.xml and add at the bottom:
Single IP Address:
<group name="local">
<rule id="100101" level="0">
<if_level>3</if_level>
<srcip>192.168.2.1</srcip>
<description>Ignoring ip 192.168.2.1</description>
</rule>
<!-- We need to use "match" if the IP is not being decoded -->
<rule id="100102" level="0">
<if_level>3</if_level>
<match>192.168.2.1</match>
<description>Ignoring ip 192.168.2.1</description>
</rule>
</group>
Multiple IP Address:
<group name="local">
<rule id="100101" level="0">
<if_level>3</if_level>
<srcip>192.168.2.1</srcip>
<srcip>192.168.2.2</srcip>
<srcip>192.168.2.3</srcip>
<description>Ignoring ip 192.168.2.1, 192.168.2.2,
192.168.2.3</description>
</rule>
</group>
____________________________________________
Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty
Insurance Corporation
270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7
1.888.601.4440 | * [email protected]
“Accomplishing the impossible means only that your boss will add it to your
regular duties” Doug Larson
This message is intended for use only by the person(s) addressed above and
may contain privileged and confidential information. Disclosure or use of
this message by any other person is strictly prohibited. If this message is
received in error, please notify the sender immediately and delete this
message.
--
To unsubscribe, reply using "remove me" as the subject.
