Exception for specific IP address

Hi All,

We recently installed Grayolg in our organisation. We have a tool for scanning vulnerabilities for our environment. We set up rule for SSH. Is there a way/steps how I can exclude that server from alert messaging?


Easiest way is with a pipeline rule. However, from a security standpoint - remember pentesters love abusing vuln scanners (I certainly do). So, you may want to include logic that indicates it is definitely from the vuln scanner, or that you send up all kinds of alerts if that account is used for anything outside the norm.

Quick and Dirty

rule "drop_vuln_scanner"
  has_field("source_ip") AND
  $message.source_ip == ""
1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.