Thanks, it worked after adding the <group></group> & doing below. No issues with the subnet, that was just indicative of CIDR. running -d -d listed all the rules.
Also the double quotes we had copied from the text editor onto terminal, had to be deleted and re-typed. Weird, but it worked Cal On Thursday, 3 March 2016 21:38:28 UTC+5:30, LostInThe Tubez wrote: > > You must include your rules inside of a group tag. Unless I’m totally > missing something, that is what analysisd is complaining about. > > > > *From:* [email protected] <javascript:> [mailto: > [email protected] <javascript:>] *On Behalf Of *calvin ratti > *Sent:* Wednesday, March 2, 2016 4:25 AM > *To:* ossec-list <[email protected] <javascript:>> > *Subject:* Re: [ossec-list] Disable Email Alerts from a particular source > ip > > > > Thanks all for your feedback. I added the following in the local_rules.xml > after </group> --> and before <!-- EOF --> but running into errors: > > > > <rule id=“100101” level=“0”> > > <if_level>7</if_level> > > <srcip>1.2.3.4</srcip> > > <srcip>2.3.4.5/24 <http://64.37.231.0/24></srcip> > > <description>Ignoring rule any level above 7 from Whitelisted > IPs</description> > > </rule> > > > > Error: > > > > "OSSEC analysisd: Testing rules failed. Configuration error. Exiting." > > > > Any ideas what I could be doing wrong? > > > > Cal > > > On Wednesday, 2 March 2016 10:44:22 UTC+5:30, Daniel Cid wrote: > > That's correct as long as the srcip is being decoded. You may need two > rules just in case: > > <rule id=“100001” level=“0”> > <if_level>7</if_level> > <srcip>1.2.3.0/24</srcip> > <description>Ignoring rule any level above 7 from Whitelisted > IPs</description> > </rule> > > <rule id=“100002” level=“0”> > <if_level>7</if_level> > <regex> 1.2.3.\d+ </match> > <description>Ignoring rule any level above 7 from Whitelisted > IPs</description> > </rule> > > The second one is a bit dangerous as it may open you up to log > injections, but you can use that as a start or tie it down to only > some logs formats. > > thanks, > > On Tue, Mar 1, 2016 at 10:00 AM, calvin ratti <[email protected]> wrote: > > Hi, > > > > I have a VA scanner which I have added in the Whitelist to prevent > Active > > Response from blocking the scans. What I also understand from here is > that > > to prevent email alerts, I should create a custom rule. Is the following > > syntax proper or am i missing something: > > > > <rule id=“100001” level=“0”> > > <if_level>7</if_level> > > <srcip>1.2.3.4/24</srcip> > > <description>Ignoring rule any level above 7 from Whitelisted > > IPs</description> > > </rule> > > > > rule id is unique, we have configured to send email alerts only for > level 7 > > & above. > > > > -Cal > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
