Hi Erick, Can you show us a few of these alerts and a sample of your pix logs? I made some changes to the pix rules and maybe I broke something in the middle. In addition to that, we have a small document in the wiki on how to ignore specific rules ... http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/7/06, Erick Kinnee <ekinnee@xxxxxxxxxxxx> wrote:
Have we come up with a workable way to suppress or threshold down alerts for certain devices? I have several PIXes sending syslogs to the OSSEC box and I'm being flooded with alerts. There were 139 of them last night for one PIX as it was doing what it's supposed to and dropping traffic based on ACLs. Maybe I need to turn something down on the PIX? I do have it configured with "logging trap debugging".