My rule looks like this: <rule id="100030" level="0"> <if_sid>18149</if_sid> <srcip>X.X.X.X</srcip> <description>Ignored from X</description> </rule>
I have the inside the default group, <group name="local,syslog,">. Is it something with that? On Fri, Mar 8, 2013 at 1:19 PM, Jb Cheng <[email protected]> wrote: > I tested the ignore local rule by modifying "rules/local_rules.xml" > The following works as expected -- no more alerts matching rule id 5715 > and srcIP 10.2.3.4 > <rule id="100002" level="0"> > <if_sid>5715</if_sid> > <srcip>10.2.3.4</srcip> > <description>Example of rule that will ignore sshd </description> > <description>failed logins from IP 10.2.3.4.</description> > </rule> > > However, if I remove the <if_sid> line completely, it does not work --- > alerts from 10.2.3.4 still show up. > > Suggest putting <if_sid> in your local_rules.xml and test it again. > > On Thursday, March 7, 2013 7:51:04 PM UTC-8, Michael Lubinski wrote: > >> Yeah. So at least i'm not crazy then. Can anyone else confirm this >> behavior? >> >> On Thu, Mar 7, 2013 at 9:48 PM, dan (ddpbsd) <[email protected]> wrote: >> >>> >>> >>> On Thursday, March 7, 2013 10:43:35 PM UTC-5, Michael Lubinski wrote: >>>> >>>> So using srcip in this way wont work? >>>> >>>> >>> Your initial email suggests that this does not work. >>> >>> >>>> On Thu, Mar 7, 2013 at 9:41 PM, dan (ddpbsd) <[email protected]> wrote: >>>> >>>>> >>>>> >>>>> On Thursday, March 7, 2013 10:32:51 PM UTC-5, Michael Lubinski wrote: >>>>>> >>>>>> Sorry i'm new to ossec. >>>>>> >>>>>> >>>>> I don't want to see logs generated by my scanner so TO and FROM the >>>>>> scanner IP. How can I tell where the process is breaking down? >>>>>> >>>>>> >>>>> Easier said than done. Take each log message you don't want to see and >>>>> create an ignore rule for it. It's a pain really. >>>>> >>>>> >>>>>> >>>>>> On Thu, Mar 7, 2013 at 9:30 PM, dan (ddp) <[email protected]> wrote: >>>>>> >>>>>>> On Thu, Mar 7, 2013 at 10:20 PM, Michael Lubinski >>>>>>> <[email protected]> wrote: >>>>>>> > I cannot get a custom rule to work, a simple src or dst IP rule. >>>>>>> Whenever I >>>>>>> > try to add srcip to a rule its like the rule doesn't work. Here is >>>>>>> an >>>>>>> > example >>>>>>> > >>>>>>> > <rule id="100031" level="0"> >>>>>>> > <srcip>x.x.x.x</srcip> >>>>>>> > <description>Ignoring traffic</description> >>>>>>> > </rule> >>>>>>> > >>>>>>> > >>>>>>> >>>>>>> What is the ultimate goal? Is srcip being decoded properly? What log >>>>>>> message is getting through that you don't want to see? Why do I have >>>>>>> to ask you to provide this information? >>>>>>> >>>>>>> > -- >>>>>>> > >>>>>>> > --- >>>>>>> > You received this message because you are subscribed to the Google >>>>>>> Groups >>>>>>> > "ossec-list" group. >>>>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an >>>>>>> > email to ossec-list+...@**googlegroups.**co**m. >>>>>>> >>>>>>> > For more options, visit https://groups.google.com/**grou**** >>>>>>> ps/opt_out <https://groups.google.com/groups/opt_out>. >>>>>>> > >>>>>>> > >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to ossec-list+...@**googlegroups.**co**m. >>>>>>> >>>>>>> For more options, visit https://groups.google.com/**grou**** >>>>>>> ps/opt_out <https://groups.google.com/groups/opt_out>. >>>>>>> >>>>>>> >>>>>>> >>>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to ossec-list+...@**googlegroups.**com. >>>>> For more options, visit >>>>> https://groups.google.com/**grou**ps/opt_out<https://groups.google.com/groups/opt_out> >>>>> . >>>>> >>>>> >>>>> >>>> >>>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@**googlegroups.com. >>> For more options, visit >>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>> . >>> >>> >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
