Instead of using <if_sid> i'd recommend using <level>
Mine configuration for that kind of periodic security assessments:
<!-- Rule to avoid known and planned scans -->
<rule id="100001" level="0">
<if_level>6</if_level>
<srcip>10.32.0.9</srcip>
<srcip>10.32.0.8</srcip>
<description>IP address of the automatic scan - Security
team</description>
<info type="text">Automatic Scan IP from pentesting network whitelisted
- 01.07.2015</info>
</rule>
El miércoles, 27 de enero de 2016, 10:14:00 (UTC+1), narendra reddy
escribió:
>
> Hi Team,
>
> I have ossec server running in my infrastructure, we have two alert logic
> servers which tests our infrastructure by doing brute force attack and all
> kinds of attacks and ossec is sending lot of mail alerts, I want to drop
> those alert mails if the attack is from those two server, how can I set a
> rule for it.
>
> I tried to mention those in local rules file
>
> <rule id="100001" level="0">
> <if_sid>5711</if_sid>
> <srcip>ALERT_LOGIC-IPADDDR1</srcip>
> <srcip>ALERT_LOGIC-IPADDDR2</srcip>
> <srcip>IALERT_LOGIC-IPADDDR3</srcip>
> <description>failed logins from Alert Logic server.</description>
> </rule>
>
> However its not working, I still get many alert emails stating multiple
> login failures I have created similar alerts for 5551, 5712, 5720 still I
> am getting mail alerts for rule 5551.
>
> Is there a way where I can drop the alerts if the attack is from
> Alertlogic servers on my network?
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
