Hello
everyone,
We recently set up
OSSEC HIDS using the client/server model. So far things have been working
fairly well and it is looking like a good however there is a circumstance on one
web server where a buggy source control client causes several 400 errors in a
short timeframe causing rule 3151 to fire. Since several developers use
this server legitimately for source control, is there a way to exclude their
known IP address from that rule? So far trying things such as the
whitelist and using <srcip>!.....</srcip> in the rule have been
unsuccessfully.
Thanks in
advance,
-Joel