Hey guys, So I noticed this while running an internal Nessus scan on the network. Apparently AR kicked in because certain rules fired (5712 to be exact) which are not host-specific and ended up null-routing the Nessus scanner machine on the defined-agents I have setup for AR.
Anyway, I just came across this - http://www.ossec.net/wiki/Know_How:Ignore_Rules Can I add multiple hostnames delimited by "," or "|" so that the rules (and subsequently the ARs) will fire only on the hosts of origin? I would use "local" but I want AR to occur on a subset of my agents (not all of them). Unless there's another way to do this. Any ideas?
