We have a situation where we have an alert from ossec on an initial environment build which we wish to ignore. However, we only want to ignore the first alert and not subsequent similar alerts.
Is there a way to whitelist (level=0, in the local_rules.xml file) for some event for the first ten minutes only? And then have the alerts (level=7 in this case) as per usual. The alert is below: ** Alert 1465821827.92581: mail - ossec, 2016 Jun 13 13:43:47 (monitoringxyz02) any->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).' ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort': tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 :::25 :::* LISTEN tcp6 0 0 :::5666 :::* LISTEN Previous output: ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort': tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 :::25 :::* LISTEN tcp6 0 0 :::443 :::* LISTEN tcp6 0 0 :::5666 :::* LISTEN -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
