Option: add <if_sid>30116</if_sid> (you will need the parent of 30116 as well).
Restart ossec and make sure that ossec.log is clean. You could also use ossec-logtest to see what the logs are being decoded as to write the correct rules. On Fri, Aug 30, 2013 at 10:09 AM, Robert Pyzalski <[email protected]> wrote: > I would like to stop all email alerts generated by our vulnerability > scanning service. > > I've written a rule that looks like this: > > > <rule id="100000" level="0"> > <srcip>1.1.96.0/20</srcip> > <description>Vulnerability Scanner</description> > </rule> > > > I'm still getting alerts from that IP range. For example: > > > ** Alert 1377794479.27439553: mail - apache,invalid_request, > 2013 Aug 29 12:41:19 (www3) 100.100.100.3->/var/log/httpd/error_log > Rule: 30116 (level 10) -> 'Multiple Invalid URI requests from same source.' > Src IP: 1.1.106.130 > [Thu Aug 29 12:41:18 2013] [error] [client 1.1.106.130] Invalid URI in > request GET > /wp-content/plugins/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini > HTTP/1.1 > > > Can anyone point out what I'm missing? > > Thanks > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Thank you, Jared R. Greene -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
