Hi Aaron, Try something like that:
<rule id="100123" level="0"> <if_level>2</if_level> <srcip>MYIP</srcip> <description>Ignoring any alert above level 2 that has MYIP decoded.</description> <rule> <rule id="100124" level="0"> <if_level>2</if_level> <match>MYIP</match> <description>Ignoring any alert above level 2 that has MYIP in the log.</description> <rule> It will ignore any event with the source ip decode or the source IP in the log.. thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Aug 22, 2011 at 10:51 AM, Aaron Bliss <[email protected]> wrote: > Hi all, > Is it possible to ignore all events / rules triggered from a specific > IP address? I'm not referring to whitelisting an IP address in the AR > configuration, but rather would like to ignore the alerts / events > generated when running nessus scans from our nessus box against OSSEC > clients. Please advise and thanks. > > Aaron >
