I am trying to create a rule that will prevent email notifications for
the following alert but cant seem to make it work. Below is an
example of the email I would like to ignore:
Received From: ktwapp-8->172.16.230.10
Rule: 4383 fired (level 10) -> "Multiple PIX warning messages."
Portion of the log(s):
%ASA-4-419002: Duplicate TCP SYN from inside:xxx.xxx.xxx.xxx/9200 to
inside:xxx.xxx.xxx.xxx/1170 with different initial sequence number
I have created the following rule within the local_rules.xml file but
it doesnt seem to have any effect:
<rule id="100002" level="0">
<if_sid>4383</if_sid>
<regex>\.+Duplicate\sTCP\sSYN\sfrom\sinside\p:xxx\p.xxx\p.xxx\p.xxx
\.+</regex>
<description>Rule that will ignore Duplicate</description>
<description>TCP SYN from IP xxx.xxx.xxx.xxx</description>
</rule>
Any help in figuring out what I am doing wrong would be greatly
appreicated. Thanks
