[ossec-list] Re: Disabling Certain Message Triggers

["Meir Michanie" <meirgotroot@xxxxxxxxx>]

is OK.
you have a few options.

1) If the alert shows the srcip, edit the rule adding condition
<srcip>!24.159.158.118</srcip>

2) If you want to ignore the specific signature. OSSEC works like a firewall with first rule match, meaning that you can add a new signature that would match before the one that you want to ignore. How?

a) 
# cat >> /var/ossec/rules/user_defined.xml
<group name="syslog"> <!-- This needs to match the same group you of the signature want to  override. -->
  <rule id="9001" level="1" frequency="10" timeframe="160"> <!-- level one will still log it but not reporting, if you do not want to log it at all use level="0" -->
        <regex>update 'anydomain.com/IN' denied</regex>
        <description>DNS update signature override</description>
  </rule>
</group>
b) Edit /var/ossec/etc/ossec.conf and add the rule file user_defined.xml right after rules_config.xml so will read like:
<rules>
 <include>rules_config.xml</include>
 <include>user_defined.xml</include>
...
</rules>

3) A tool I wrote. It is in early development but it works in production. It needs a lot of tweaking of the current ossec structure and therefore is not recommended for the faint of heart.

read my next post.

On 8/5/06, swbradley1@xxxxxxxxxxxxxxxxxxxxxxxx < swbradley1@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:

I have put OSSEC into one of my production systems and everything is
working fine but I would to keep it from triggering on one type of
message.

in.named[259]: [ID 866145 daemon.error] client 24.159.158.118#62624:
update 'anydomain.com/IN ' denied

I don't want to edit the syslog rules and take out error or denied out of
the BAD WORDS variable.

Any ideas??  Something I'm overlooking?

thanks
steve