Hello how are you?
I'm new to this, and I don't fully understand the rules.
Predefined rule example:
<group name="syslog,attacks,">
<rule id="40101" level="12">
<if_group>authentication_success</if_group>
<user>$SYS_USERS</user>
<description>System user successfully logged to the
system.</description>
<mitre>
<id>T1078</id>
</mitre>
<group>invalid_login,pci_dss_10.2.4,pci_dss_10.2.5,gpg13_7.8,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_$
</rule>
I would like to create an exception, so that it doesn't raise alerts when
events are fired from XX.XX.XX.XX and JHON (user)
What I try to do:
<group name="test,">
<rule id="110001" level="0">
<if_sid>40101</if_sid>
<match>user JHON</match>
<srcip>XX.XX.XX.XX</srcip>
<description>No alert.</description>
</rule>
</group>
How do I indicate that it should not alert if both conditions are met? I am
somewhat lost.
Thank you.
Sorry for my bad English.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/b2447b61-968d-4402-a1c4-ca4fe3f73ffan%40googlegroups.com.
