Instead of using <if_sid> i'd recommend using <level> Mine configuration for that kind of periodic security assessments:
<!-- Rule to avoid known and planned scans --> <rule id="100001" level="0"> <if_level>6</if_level> <srcip>10.32.0.9</srcip> <srcip>10.32.0.8</srcip> <description>IP address of the automatic scan - Security team</description> <info type="text">Automatic Scan IP from pentesting network whitelisted - 01.07.2015</info> </rule> El miércoles, 27 de enero de 2016, 10:14:00 (UTC+1), narendra reddy escribió: > > Hi Team, > > I have ossec server running in my infrastructure, we have two alert logic > servers which tests our infrastructure by doing brute force attack and all > kinds of attacks and ossec is sending lot of mail alerts, I want to drop > those alert mails if the attack is from those two server, how can I set a > rule for it. > > I tried to mention those in local rules file > > <rule id="100001" level="0"> > <if_sid>5711</if_sid> > <srcip>ALERT_LOGIC-IPADDDR1</srcip> > <srcip>ALERT_LOGIC-IPADDDR2</srcip> > <srcip>IALERT_LOGIC-IPADDDR3</srcip> > <description>failed logins from Alert Logic server.</description> > </rule> > > However its not working, I still get many alert emails stating multiple > login failures I have created similar alerts for 5551, 5712, 5720 still I > am getting mail alerts for rule 5551. > > Is there a way where I can drop the alerts if the attack is from > Alertlogic servers on my network? > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.