On Dec 27, 2012 12:57 PM, "Stefan" <[email protected]> wrote: > > Hello all, > > Im having here ubuntu-server, ossec 2.7, ossec-wui is also installed. Im having alerts that I want to ignore and want to edit the local_rules.xml file. > but in ossec wui there is such couriuos event entry: > > 2012 Dec 27 18:37:21 Rule Id: 9701 level: 3 > Location: (willy) 212.144.241.130->/var/log/syslog > Src IP: 8:37:21 willy dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, mpid=10274, TLS > > Doing an exception in will not work in local_rules.xml cause Im having such hex values: Src IP: 8:37:21 and this values are changing. btw, the events are all from same source! and IP6 is off and it dont look like an ip6-address. >
8:37:21 is part of your timestamp. Looks like you're using the broken wui. > Can someone enlighten me what this values are? And help me doing an exception for that events? > > tia > Stefan
