Hi all,
I'd like to suppress a rule by source IP, so I put the following
inside local_rules.xml:
<rule id="100203" level="0">
<if_sid>18149</if_sid>
<srcip>!192.168.1.5</srcip>
<srcip>!192.168.1.6</srcip>
<srcip>!192.168.1.7</srcip>
<srcip>!192.168.1.8</srcip>
<srcip>!192.168.1.9</srcip>
</rule>
I restarted OSSEC (v2.5.1 on Ubuntu 10.04 LTS) and verified my rule
parsed correctly, but I still get alerts for IPs not in that list.
When I search for alerts in the web UI, it says "Showing 123 alert(s)
from srcip (none)", which seems to imply that the decoder isn't filling
the srcip field correctly.
Is there another way to filter this rule by source IP?
Thanks,
- Joe
--
Joseph S. Testa II | Senior Security Consultant
Positron Security, LLC.
http://www.positronsecurity.com/
Phone: (585) 643-5900
AIM / Skype / Twitter: TheRealJoeTesta
