Hi Team, I have ossec server running in my infrastructure, we have two alert logic servers which tests our infrastructure by doing brute force attack and all kinds of attacks and ossec is sending lot of mail alerts, I want to drop those alert mails if the attack is from those two server, how can I set a rule for it.
I tried to mention those in local rules file <rule id="100001" level="0"> <if_sid>5711</if_sid> <srcip>ALERT_LOGIC-IPADDDR1</srcip> <srcip>ALERT_LOGIC-IPADDDR2</srcip> <srcip>IALERT_LOGIC-IPADDDR3</srcip> <description>failed logins from Alert Logic server.</description> </rule> However its not working, I still get many alert emails stating multiple login failures I have created similar alerts for 5551, 5712, 5720 still I am getting mail alerts for rule 5551. Is there a way where I can drop the alerts if the attack is from Alertlogic servers on my network? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.