Hi Team,
I have ossec server running in my infrastructure, we have two alert logic
servers which tests our infrastructure by doing brute force attack and all
kinds of attacks and ossec is sending lot of mail alerts, I want to drop
those alert mails if the attack is from those two server, how can I set a
rule for it.
I tried to mention those in local rules file
<rule id="100001" level="0">
<if_sid>5711</if_sid>
<srcip>ALERT_LOGIC-IPADDDR1</srcip>
<srcip>ALERT_LOGIC-IPADDDR2</srcip>
<srcip>IALERT_LOGIC-IPADDDR3</srcip>
<description>failed logins from Alert Logic server.</description>
</rule>
However its not working, I still get many alert emails stating multiple
login failures I have created similar alerts for 5551, 5712, 5720 still I
am getting mail alerts for rule 5551.
Is there a way where I can drop the alerts if the attack is from Alertlogic
servers on my network?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
