Only a suggestion, but have you tried <srcip>2.3.4.0/24</srcip> given that 2.3.4.5/24 is not a valid netadress with C-class mask??
/f On Wednesday, March 2, 2016 at 12:24:59 PM UTC+1, calvin ratti wrote: > > Thanks all for your feedback. I added the following in the local_rules.xml > after </group> --> and before <!-- EOF --> but running into errors: > > <rule id=“100101” level=“0”> > <if_level>7</if_level> > <srcip>1.2.3.4</srcip> > <srcip>2.3.4.5/24 <http://64.37.231.0/24></srcip> > <description>Ignoring rule any level above 7 from Whitelisted > IPs</description> > </rule> > > Error: > > "OSSEC analysisd: Testing rules failed. Configuration error. Exiting." > > Any ideas what I could be doing wrong? > > Cal > > On Wednesday, 2 March 2016 10:44:22 UTC+5:30, Daniel Cid wrote: >> >> That's correct as long as the srcip is being decoded. You may need two >> rules just in case: >> >> <rule id=“100001” level=“0”> >> <if_level>7</if_level> >> <srcip>1.2.3.0/24</srcip> >> <description>Ignoring rule any level above 7 from Whitelisted >> IPs</description> >> </rule> >> >> <rule id=“100002” level=“0”> >> <if_level>7</if_level> >> <regex> 1.2.3.\d+ </match> >> <description>Ignoring rule any level above 7 from Whitelisted >> IPs</description> >> </rule> >> >> The second one is a bit dangerous as it may open you up to log >> injections, but you can use that as a start or tie it down to only >> some logs formats. >> >> thanks, >> >> On Tue, Mar 1, 2016 at 10:00 AM, calvin ratti <[email protected]> >> wrote: >> > Hi, >> > >> > I have a VA scanner which I have added in the Whitelist to prevent >> Active >> > Response from blocking the scans. What I also understand from here is >> that >> > to prevent email alerts, I should create a custom rule. Is the >> following >> > syntax proper or am i missing something: >> > >> > <rule id=“100001” level=“0”> >> > <if_level>7</if_level> >> > <srcip>1.2.3.4/24</srcip> >> > <description>Ignoring rule any level above 7 from Whitelisted >> > IPs</description> >> > </rule> >> > >> > rule id is unique, we have configured to send email alerts only for >> level 7 >> > & above. >> > >> > -Cal >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
