On Wed, Apr 9, 2014 at 3:44 PM, Oliver Kohll <[email protected]> wrote: > I'd like to set up OSSEC so I don't get email alerts if a rule fires an > active response (iptables block in my case). I only want to receive alerts > that don't trigger a response, that way the traffic will reduce to a level > where I can investigate each alert I receive and see if it should prompt a > response (automated or not). > > The way I've though of is to add a rule to my local_rules.xml that matches > rule IDs set to trigger a response, and only if there is an IP address > detected then set the no_email_alert flag (if there's no IP address then it > won't have triggered an active response). > > Does that seem sensible or is there a better way to do it? >
There is no functionality for this. > Oliver > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
