Hello all, Im having here ubuntu-server, ossec 2.7, ossec-wui is also installed. Im having alerts that I want to ignore and want to edit the local_rules.xml file. but in ossec wui there is such couriuos event entry:
2012 Dec 27 18:37:21 Rule Id: 9701<http://www.ossec.net/wiki/index.php/Rule:9701>level: 3 Location: (willy) 212.144.241.130->/var/log/syslog Src IP: 8:37:21 willy dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, mpid=10274, TLS Doing an exception in will not work in local_rules.xml cause Im having such hex values: Src IP: 8:37:21 and this values are changing. btw, the events are all from same source! and IP6 is off and it dont look like an ip6-address. Can someone enlighten me what this values are? And help me doing an exception for that events? tia Stefan
