Hey Jesus, I'm only overwriting rule 5501 to increase its alert level to 7 (as I test to use only send alert if 7 or < ).
I did test the following: <rule id="100200" level="0"> <if_sid>5501</if_sid> <srcip>Remote IP</srcip> <description>Ignoring host remote IP</description> </rule> also: <rule id="100200" level="0"> <if_sid>5501</if_sid> <srcip>Remote IP</srcip> <options>no_email_alert</options> <description>Ignoring host remote IP</description> </rule> However, I still get alerts sent to me when connecting to any ossec agent through that remote host. Den måndag 19 juni 2017 kl. 16:27:47 UTC+2 skrev Jesus Linares: > > Your second rule is ignoring only alerts with level 2 and with your IP. I > think you could use *if_sid*. > > Why are you overwriting the rule 5501?. > > Regards. > > > > On Monday, June 19, 2017 at 12:00:29 PM UTC+2, Fredrik Hilmersson wrote: >> >> Hello, >> >> So I got the following custom rule on the ossec server: >> >> <rule id="5501" level="7" overwrite="yes"> >> >> <if_sid>5500</if_sid> >> >> <match>session opened for user </match> >> >> <description>Login session opened.</description> >> >> <group>authentication_success,</group> >> >> </rule> >> >> Then afterwards I use the local rule on the ossec server to avoid alert >> spam from a specific IP: >> >> <rule id="110000" level="0"> >> >> <if_level>2</if_level> >> >> <srcip>MYIP</srcip> >> >> <description>Ignoring ip MYIP</description> >> >> </rule> >> >> I tried with <match></match> instead of srcip but without success, the >> ossec agents still generate alerts to my ossec server when connecting from >> MYIP. >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
