Exception for specific IP address

Hi All,

We recently installed Grayolg in our organisation. We have a tool for scanning vulnerabilities for our environment. We set up rule for SSH. Is there a way/steps how I can exclude that server from alert messaging?

Thanks

Easiest way is with a pipeline rule. However, from a security standpoint - remember pentesters love abusing vuln scanners (I certainly do). So, you may want to include logic that indicates it is definitely from the vuln scanner, or that you send up all kinds of alerts if that account is used for anything outside the norm.

Quick and Dirty

rule "drop_vuln_scanner"
when
  has_field("source_ip") AND
  $message.source_ip == "10.10.10.10"
then
  drop_message();
end
1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.