I've done this on a rule by rule basis. For instance, if your monitoring
system scans the ssh ports of your servers, it's useful to downgrade that
alert.
<rule id="100040" level="2">
<if_sid>5706</if_sid>
<srcip>10.1.2.3</srcip>
<description>Monitoring server scanning SSH port</description>
</rule>
--Josh
On Friday, February 7, 2014 2:17:33 AM UTC-5, Dolph Rocks wrote:
>
> Hi,
>
> Is there any way to change the severity level for the alerts coming from
> one particular machine?
>
> Reply urgent
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
