Hi All,
We recently installed Grayolg in our organisation. We have a tool for scanning vulnerabilities (OpenVAS) installed on server. I want to exclude that server/IP address from SSH Deny stream. Is there a way/steps how I can exclude that server from alert messaging?
Write a processing Pipeline that either delete this or give the message some kind of a mark that is excluded in the alert.
Hi I have this:
rule “drop_vuln_scanner”
when
has_field(“source_ip”) AND
$message.source_ip == “10.10.10.10”
then
drop_message();
end
Is it good?
does it work for you?
rule “drop_vuln_scanner”
when
has_field(“source_ip”) AND
to_string($message.source_ip) == “10.10.10.10”
then
drop_message();
end
To make the comparison string to string, you need to give the definition that the field source_ip is a string …
Im trying to set up new pipeline, but when I click Manage rules - Create new rule it wont let me to SAVE it.
the UI should give you some indication why this happens.
I used wrong symbols for quotation marks. Thanks a lot
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.