I'd say use whitelist. and add your scannser IP in whitelist I have same issue and and i guess that is only option we have.
On Thu, Mar 3, 2011 at 4:21 PM, jplee3 <[email protected]> wrote: > Hey guys, > > So I noticed this while running an internal Nessus scan on the > network. Apparently AR kicked in because certain rules fired (5712 to > be exact) which are not host-specific and ended up null-routing the > Nessus scanner machine on the defined-agents I have setup for AR. > > Anyway, I just came across this - > http://www.ossec.net/wiki/Know_How:Ignore_Rules > > > Can I add multiple hostnames delimited by "," or "|" so that the rules > (and subsequently the ARs) will fire only on the hosts of origin? > > I would use "local" but I want AR to occur on a subset of my agents > (not all of them). > > Unless there's another way to do this. > > Any ideas?
