Pipeline SSH stream rule

Hi All,

We recently installed Grayolg in our organisation. We have a tool for scanning vulnerabilities (OpenVAS) installed on server. I want to exclude that server/IP address from SSH Deny stream. Is there a way/steps how I can exclude that server from alert messaging?

Write a processing Pipeline that either delete this or give the message some kind of a mark that is excluded in the alert.

Hi I have this:
rule “drop_vuln_scanner”
when
has_field(“source_ip”) AND
$message.source_ip == “10.10.10.10”
then
drop_message();
end

Is it good?

does it work for you?

rule “drop_vuln_scanner”
when
   has_field(“source_ip”) AND
   to_string($message.source_ip) == “10.10.10.10”
then
   drop_message();
end

To make the comparison string to string, you need to give the definition that the field source_ip is a string …

Im trying to set up new pipeline, but when I click Manage rules - Create new rule it wont let me to SAVE it.

the UI should give you some indication why this happens.

I used wrong symbols for quotation marks. Thanks a lot