Ah I didn't realize at first that you were trying to ignore an entire subnet. It's making more sense now. So the machine actually reporting the alert is monitoring the subnet?
Did you reference this? http://www.ossec.net/wiki/Know_How:Ignore_Rules#Ignoring_a_specific_IP <http://www.ossec.net/wiki/Know_How:Ignore_Rules#Ignoring_a_specific_IP>Maybe try with just srcip and with just match but not both together. On Thu, Mar 3, 2011 at 5:45 PM, Lars Oberg <[email protected]> wrote: > Okay just tried that, but did not help (and hostname would've been > cumbersome to use to specify a whole subnet). > > Other suggestions? I really need a solution to this. > > > > On 3/3/2011 5:10 PM, Jeremy Lee wrote: > > try using the <hostname> attribute instead of match and srcip. > > On Thu, Mar 3, 2011 at 4:19 PM, Lars <[email protected]> wrote: > >> I just installed ossec for the first time, and I I'm getting certain e- >> mail alerts that I cannot seem to figure out how to stop. >> >> ------ Here is one of the alerts: >> OSSEC HIDS Notification. >> 2011 Mar 03 13:46:25 >> >> Received From: (pos-vm) 10.1.1.152->ossec >> Rule: 503 fired (level 3) -> "Ossec agent started." >> Portion of the log(s): >> >> ossec: Agent started: 'pos-vm->10.1.1.152'. >> >> >> >> --END OF NOTIFICATION >> >> ------ Here is the rule I added to local_rules.xml: >> <rule id="100201" level="2"> >> <if_sid>503</if_sid> >> <match>10.1.1.152</match> >> <srcip>10.1.1.152</srcip> >> <options>no_email_alert</options> >> <description>No e-mail alerts when work stations start up.</ >> description> >> </rule> >> >> I have restarted ossec on the server and there are no error messages >> or warnings, but when I reboot 10.1.1.152, I still get the alert e- >> mail. I originally tried with srcip, but since that field isn't >> decoded by this rule, I also added match, but that didn't work either >> (and what I really need is probably regex, since I need to exclude a >> large number of workstations). >> >> Some background: I have about 100 Linux workstations that are only >> used day-time, so they are shut down every evening and turned back on >> again every morning. These are perfectly normal events, and I do not >> want to get flooded with e-mails every time it happens. >> >> ------ Here is an entry from the alert log: >> │** Alert 1299196351.188961: mail - ossec, >> │2011 Mar 03 15:52:31 (pos-vm) 10.1.1.152->ossec >> │Rule: 503 (level 3) -> 'Ossec agent started.' >> │Src IP: (none) >> │User: (none) >> │ossec: Agent started: 'pos-vm->10.1.1.152'. >> >> What do I need to do to solve this? >> >> Thanks, >> Lars > > > >
