Hi Michael, You can specify a subnet in there. For example:
<srcip>192.168.2.0/24</srcip> Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Apr 2, 2010 at 4:37 PM, Michael Barrett <[email protected]> wrote: > I found this but I don't want to have to list each IP address. Is there a > way to do a range? > > Ignoring a specific IP > > > If you want to ignore a specific IP, say of your security scanner, you can > add a simple local rule > to ignore that ip (or list of IPs) for every alert. > 1- Edit /var/ossec/rules/local_rules.xml and add at the bottom: > > > Single IP Address: > > > <group name="local"> > <rule id="100101" level="0"> > <if_level>3</if_level> > <srcip>192.168.2.1</srcip> > <description>Ignoring ip 192.168.2.1</description> > </rule> > > <!-- We need to use "match" if the IP is not being decoded --> > <rule id="100102" level="0"> > <if_level>3</if_level> > <match>192.168.2.1</match> > <description>Ignoring ip 192.168.2.1</description> > </rule> > </group> > > > > Multiple IP Address: > > > <group name="local"> > <rule id="100101" level="0"> > <if_level>3</if_level> > <srcip>192.168.2.1</srcip> > <srcip>192.168.2.2</srcip> > <srcip>192.168.2.3</srcip> > <description>Ignoring ip 192.168.2.1, 192.168.2.2, > 192.168.2.3</description> > </rule> > </group> > ____________________________________________ > Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty > Insurance Corporation > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > 1.888.601.4440 | * [email protected] > > > “Accomplishing the impossible means only that your boss will add it to your > regular duties” Doug Larson > > This message is intended for use only by the person(s) addressed above and > may contain privileged and confidential information. Disclosure or use of > this message by any other person is strictly prohibited. If this message is > received in error, please notify the sender immediately and delete this > message. > > -- > To unsubscribe, reply using "remove me" as the subject. >
