http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-lists.html
Your rule would look something like this:
<rule id="100078" level=“0">
<if_sid>5703,31161</if_sid>
<list field="srcip" lookup="address_match_key">lists/name_of_list</list>
<description>Ignore this</description>
</rule>
And you would have to add the list to the <rules> block of you server config
<ossec_config>
<rules>
<list>lists/name_of_list</list>
...
On 6/11/2015 1:34 AM, H.Merijn Brand wrote:
Thank you. Now installed with the desired IP'sFrom those docs, I concluded that one would need a rule per IP. srcip cannot be a comma-separated list, right?Op woensdag 10 juni 2015 21:44:44 UTC+2 schreef Binet, Valere (NIH/NIA/IRP) [C]:Your personal rules go in /var/ossec/rules/local_rules.xml Example : <rule id="100078" level=“0"> <if_sid>5703,31161</if_sid> <srcip>1.2.3.4</srcip> <description>Ignore this</description> </rule> -- ---You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]>.For more options, visit https://groups.google.com/d/optout.
----- You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
