Maybe you can play with <srcip> within a local rule, and overwrite the
alert level to fit your needs.
For example, modify the following:
<rule id=“100303” level=“0”>
<if_level>4</if_level>
<srcip>192.168.2.1</srcip>
On Tuesday, August 7, 2012 2:53:57 PM UTC-7, Kat wrote:
>
> Ok, here is a tricky one I can't figure out..
>
> I have a simple rule with an ignore=7200 so it does not fire too much.
> BUT, what if I only want to set the ignore PER HOST? In other words, if it
> triggers on another host it should alert then set the ignore timer. Yeah, I
> am not aware of a clean/simple way to do this..
>
> Any ideas?
>
