Awesome Thanks ____________________________________________ Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 1.888.601.4440 | * [email protected]
“Accomplishing the impossible means only that your boss will add it to your regular duties” Doug Larson This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. |------------> | From: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Daniel Cid <[email protected]> | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |[email protected] | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |04/06/2010 01:27 PM | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Re: [ossec-list] Is there a way to specify a range or subnet of IP addresses? | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Sent by: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |[email protected] | >--------------------------------------------------------------------------------------------------------------------------------------------------| Hi Michael, You can specify a subnet in there. For example: <srcip>192.168.2.0/24</srcip> Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Apr 2, 2010 at 4:37 PM, Michael Barrett <[email protected]> wrote: > I found this but I don't want to have to list each IP address. Is there a > way to do a range? > > Ignoring a specific IP > > > If you want to ignore a specific IP, say of your security scanner, you can > add a simple local rule > to ignore that ip (or list of IPs) for every alert. > 1- Edit /var/ossec/rules/local_rules.xml and add at the bottom: > > > Single IP Address: > > > <group name="local"> > <rule id="100101" level="0"> > <if_level>3</if_level> > <srcip>192.168.2.1</srcip> > <description>Ignoring ip 192.168.2.1</description> > </rule> > > <!-- We need to use "match" if the IP is not being decoded --> > <rule id="100102" level="0"> > <if_level>3</if_level> > <match>192.168.2.1</match> > <description>Ignoring ip 192.168.2.1</description> > </rule> > </group> > > > > Multiple IP Address: > > > <group name="local"> > <rule id="100101" level="0"> > <if_level>3</if_level> > <srcip>192.168.2.1</srcip> > <srcip>192.168.2.2</srcip> > <srcip>192.168.2.3</srcip> > <description>Ignoring ip 192.168.2.1, 192.168.2.2, > 192.168.2.3</description> > </rule> > </group> > ____________________________________________ > Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty > Insurance Corporation > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > 1.888.601.4440 | * [email protected] > > > “Accomplishing the impossible means only that your boss will add it to your > regular duties” Doug Larson > > This message is intended for use only by the person(s) addressed above and > may contain privileged and confidential information. Disclosure or use of > this message by any other person is strictly prohibited. If this message is > received in error, please notify the sender immediately and delete this > message. > > -- > To unsubscribe, reply using "remove me" as the subject. >
