[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Excluding certain source IPs

To: <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Excluding certain source IPs
From: <kalman.dee@xxxxxxxx>
Date: Wed, 3 Oct 2007 10:34:24 +1000
Authentication-results: mx.google.com; spf=pass (google.com: domain of prvs=kalman.dee=789a6fd68@xxxxxxxx designates 150.229.64.42 as permitted sender) smtp.mail=prvs=kalman.dee=789a6fd68@xxxxxxxx; domainkeys=pass header.From=kalman.dee@xxxxxxxx
Content-class: urn:content-classes:message
Content-transfer-encoding: quoted-printable
Thread-index: AcgFVSQbaaM0D/ZITSKposcsnP3PdA==
Thread-topic: Excluding certain source IPs

Hi all,

this might be simple but I can't find a reference to it.

I'd like to exclude one source IP (or maybe its whole C-class) from
being alerted on.

(This host often runs nessus scans, causing all sorts of alerts on the
apache servers).

It looks like the <white_list> tag in ossec.conf is only for active
response, not alerting.

So I suppose some condition should go into local_rules.xml. But what?

There should be an <if_srcip> tag to make an exemption based on
address(es), but there is no such tag.

How could a source IP be completely excluded from alerting?

Thanks,
Kal


Kalman Dee
Canberra, Australia

Follow-Ups:
- [ossec-list] Re: Excluding certain source IPs
  - From: Cédric THIBAULT
- [ossec-list] Re: Excluding certain source IPs
  - From: Daniel Cid

Prev by Date: [ossec-list] Syscheck enhancements
Next by Date: [ossec-list] Re: [Fwd: OSSEC Notification - (RPSSQL01) 10.10.1.253 - Alert level 7]
Previous by thread: [ossec-list] Re: Syscheck enhancements
Next by thread: [ossec-list] Re: Excluding certain source IPs
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.