I would like to stop all email alerts generated by our vulnerability
scanning service.
I've written a rule that looks like this:
<rule id="100000" level="0">
<srcip>1.1.96.0/20</srcip>
<description>Vulnerability Scanner</description>
</rule>
I'm still getting alerts from that IP range. For example:
** Alert 1377794479.27439553: mail - apache,invalid_request,
2013 Aug 29 12:41:19 (www3) 100.100.100.3->/var/log/httpd/error_log
Rule: 30116 (level 10) -> 'Multiple Invalid URI requests from same source.'
Src IP: 1.1.106.130
[Thu Aug 29 12:41:18 2013] [error] [client 1.1.106.130] Invalid URI in
request GET
/wp-content/plugins/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini
HTTP/1.1
Can anyone point out what I'm missing?
Thanks
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
