Hi,
I think your rule is proper. You can add another srcip field if you want:
<rule id="100001" level="0">
<if_level>7</if_level>
<srcip>192.168.2.1</srcip>
<srcip>192.168.2.2</srcip>
<description>Ignoring rule any level above 7 from ip X.</description>
</rule>
If you want to send emails for severities above X level, you can use this
configuration:
<ossec_config>
<alerts>
<email_alert_level>X</email_alert_level>
</alerts>
</ossec_config>
Level 7 is the minimum alert level to send e-mail notifications.
Documentation:
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.alerts.html#element-email_alert_level
Also, check out
this:
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.email_alerts.html#element-level
*<alerts><email_alert_level> *overrides granular email alert levels:
<email_alerts><level>. Individual rules can override this with the
*alert_by_email
*option.
Regards.
Jesus Linares.
On Tuesday, March 1, 2016 at 3:02:19 PM UTC+1, calvin ratti wrote:
>
> Hi,
>
> I have a VA scanner which I have added in the Whitelist to prevent Active
> Response from blocking the scans. What I also understand from here is that
> to prevent email alerts, I should create a custom rule. Is the following
> syntax proper or am i missing something:
>
> <rule id=“100001” level=“0”>
> <if_level>7</if_level>
> <srcip>1.2.3.4/24</srcip>
> <description>Ignoring rule any level above 7 from Whitelisted
> IPs</description>
> </rule>
>
> rule id is unique, we have configured to send email alerts only for level
> 7 & above.
>
> -Cal
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
