That's correct as long as the srcip is being decoded. You may need two rules just in case:
<rule id=“100001” level=“0”> <if_level>7</if_level> <srcip>1.2.3.0/24</srcip> <description>Ignoring rule any level above 7 from Whitelisted IPs</description> </rule> <rule id=“100002” level=“0”> <if_level>7</if_level> <regex> 1.2.3.\d+ </match> <description>Ignoring rule any level above 7 from Whitelisted IPs</description> </rule> The second one is a bit dangerous as it may open you up to log injections, but you can use that as a start or tie it down to only some logs formats. thanks, On Tue, Mar 1, 2016 at 10:00 AM, calvin ratti <[email protected]> wrote: > Hi, > > I have a VA scanner which I have added in the Whitelist to prevent Active > Response from blocking the scans. What I also understand from here is that > to prevent email alerts, I should create a custom rule. Is the following > syntax proper or am i missing something: > > <rule id=“100001” level=“0”> > <if_level>7</if_level> > <srcip>1.2.3.4/24</srcip> > <description>Ignoring rule any level above 7 from Whitelisted > IPs</description> > </rule> > > rule id is unique, we have configured to send email alerts only for level 7 > & above. > > -Cal > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
