Dear All,
We use the SRCIP Field to specify the priority of alerts.
If an alert is generated by a Private IP address this is generated in
our ticketing system as a Medium alert.
If it is anything else, this is cut as a high. This should mean that
any public IP address is seen as a high Incident.
A problem has arrised with the fact that we are seeing one type of
incident generated by one server whereby the Hostname is passed
through to the SRCIP field.
So, I should be able to supress this in my local rules, but when I
create a rule such as:
<rule id="100326" level="5">
<if_sid>xxxx</if_sid>
<srcip>server1</srcip>
<description>Suppress Alerts from Server</description>
</rule>
I get the following error on restart:
2011/08/01 08:49:47 ossec-analysisd(1237): ERROR: Invalid ip address:
'server1'
Is there anyway I can either make sure this field is only an IP
address, or use a hostname in the srcip field.
Thanks
Pip
