I tested the ignore local rule by modifying "rules/local_rules.xml"
The following works as expected -- no more alerts matching rule id 5715 and
srcIP 10.2.3.4
<rule id="100002" level="0">
<if_sid>5715</if_sid>
<srcip>10.2.3.4</srcip>
<description>Example of rule that will ignore sshd </description>
<description>failed logins from IP 10.2.3.4.</description>
</rule>
However, if I remove the <if_sid> line completely, it does not work ---
alerts from 10.2.3.4 still show up.
Suggest putting <if_sid> in your local_rules.xml and test it again.
On Thursday, March 7, 2013 7:51:04 PM UTC-8, Michael Lubinski wrote:
>
> Yeah. So at least i'm not crazy then. Can anyone else confirm this
> behavior?
>
> On Thu, Mar 7, 2013 at 9:48 PM, dan (ddpbsd) <[email protected]<javascript:>
> > wrote:
>
>>
>>
>> On Thursday, March 7, 2013 10:43:35 PM UTC-5, Michael Lubinski wrote:
>>>
>>> So using srcip in this way wont work?
>>>
>>>
>> Your initial email suggests that this does not work.
>>
>>
>>> On Thu, Mar 7, 2013 at 9:41 PM, dan (ddpbsd) <[email protected]> wrote:
>>>
>>>>
>>>>
>>>> On Thursday, March 7, 2013 10:32:51 PM UTC-5, Michael Lubinski wrote:
>>>>>
>>>>> Sorry i'm new to ossec.
>>>>>
>>>>>
>>>> I don't want to see logs generated by my scanner so TO and FROM the
>>>>> scanner IP. How can I tell where the process is breaking down?
>>>>>
>>>>>
>>>> Easier said than done. Take each log message you don't want to see and
>>>> create an ignore rule for it. It's a pain really.
>>>>
>>>>
>>>>>
>>>>> On Thu, Mar 7, 2013 at 9:30 PM, dan (ddp) <[email protected]> wrote:
>>>>>
>>>>>> On Thu, Mar 7, 2013 at 10:20 PM, Michael Lubinski
>>>>>> <[email protected]> wrote:
>>>>>> > I cannot get a custom rule to work, a simple src or dst IP rule.
>>>>>> Whenever I
>>>>>> > try to add srcip to a rule its like the rule doesn't work. Here is
>>>>>> an
>>>>>> > example
>>>>>> >
>>>>>> > <rule id="100031" level="0">
>>>>>> > <srcip>x.x.x.x</srcip>
>>>>>> > <description>Ignoring traffic</description>
>>>>>> > </rule>
>>>>>> >
>>>>>> >
>>>>>>
>>>>>> What is the ultimate goal? Is srcip being decoded properly? What log
>>>>>> message is getting through that you don't want to see? Why do I have
>>>>>> to ask you to provide this information?
>>>>>>
>>>>>> > --
>>>>>> >
>>>>>> > ---
>>>>>> > You received this message because you are subscribed to the Google
>>>>>> Groups
>>>>>> > "ossec-list" group.
>>>>>> > To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an
>>>>>> > email to ossec-list+...@**googlegroups.**com.
>>>>>>
>>>>>> > For more options, visit https://groups.google.com/**grou**
>>>>>> ps/opt_out <https://groups.google.com/groups/opt_out>.
>>>>>> >
>>>>>> >
>>>>>>
>>>>>> --
>>>>>>
>>>>>> ---
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "ossec-list" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to ossec-list+...@**googlegroups.**com.
>>>>>>
>>>>>> For more options, visit
>>>>>> https://groups.google.com/**grou**ps/opt_out<https://groups.google.com/groups/opt_out>
>>>>>> .
>>>>>>
>>>>>>
>>>>>>
>>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to ossec-list+...@**googlegroups.com.
>>>> For more options, visit
>>>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>
>>>> .
>>>>
>>>>
>>>>
>>>
>>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
