I'd like to set up OSSEC so I don't get email alerts if a rule fires an active response (iptables block in my case). I only want to receive alerts that don't trigger a response, that way the traffic will reduce to a level where I can investigate each alert I receive and see if it should prompt a response (automated or not).
The way I've though of is to add a rule to my local_rules.xml that matches rule IDs set to trigger a response, and only if there is an IP address detected then set the no_email_alert flag (if there's no IP address then it won't have triggered an active response). Does that seem sensible or is there a better way to do it? Oliver -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
