On 2014-08-09 8:01, Randy Dover wrote:
I am performing a vulnerability scan internally (using OpenVAS on
Kali). I am getting the alerts below.
Is there a way to filter or exclude these events if they are coming
from the server that OpenVAS (Kali) is installed on? Either by IP
address or server name?
Something like this *might* work.
<rule id="10000" level="0">
<if_sid>^1$</if_sid>
<hostname>AGENT NAME HERE</hostname>
<description>Whoa, calm down there, Sparky!</description>
</rule>
Restrict it further, if possible.
I haven't actually tried or seen <if_sid>^1$</if_sid> used before but it
is where rule processing starts, so in theory it should work. The idea
here is that it will check every log and then see if it is coming from
the Kali box. But I'm not sure this is what you want, anyway. Wouldn't
the scanned hosts be the ones you want to exclude from?
If they all have the Kali box IP in the logs, you can use the match
element for that. I wouldn't use the IP element since it's unlikely all
of the logs will be decoded properly, and match is just a string
comparison.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
