[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Disabling Certain Message Triggers

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Disabling Certain Message Triggers
From: swbradley1@xxxxxxxxxxxxxxxxxxxxxxxx
Date: Sun, 6 Aug 2006 05:57:25 -0700 (PDT)
Content-transfer-encoding: 8bit
Importance: Normal

That worked like a charm.

It now logs just fine but no longer e-mails me every hour or so.

Now that I understand the "OSSEC works like a firewall" concept that will
help out a lot.

thank you


> is OK.
> you have a few options.
>
> 1) If the alert shows the srcip, edit the rule adding condition
> <srcip>!24.159.158.118</srcip>
>
> 2) If you want to ignore the specific signature. OSSEC works like a
> firewall
> with first rule match, meaning that you can add a new signature that would
> match before the one that you want to ignore. How?
>
> a)
> # cat >> /var/ossec/rules/user_defined.xml
> <group name="syslog"> <!-- This needs to match the same group you of the
> signature want to  override. -->
>   <rule id="9001" level="1" frequency="10" timeframe="160"> <!-- level one
> will still log it but not reporting, if you do not want to log it at all
> use
> level="0" -->
>         <regex>update 'anydomain.com/IN' denied</regex>
>         <description>DNS update signature override</description>
>   </rule>
> </group>
> b) Edit /var/ossec/etc/ossec.conf and add the rule file user_defined.xml
> right after rules_config.xml so will read like:
> <rules>
>  <include>rules_config.xml</include>
>  <include>user_defined.xml</include>
> ...
> </rules>
>
> 3) A tool I wrote. It is in early development but it works in production.
> It
> needs a lot of tweaking of the current ossec structure and therefore is
> not
> recommended for the faint of heart.
>
> read my next post.
>
>
>
> On 8/5/06, swbradley1@xxxxxxxxxxxxxxxxxxxxxxxx <
> swbradley1@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>>
>>
>> I have put OSSEC into one of my production systems and everything is
>> working fine but I would to keep it from triggering on one type of
>> message.
>>
>> in.named[259]: [ID 866145 daemon.error] client 24.159.158.118#62624:
>> update 'anydomain.com/IN' denied
>>
>> I don't want to edit the syslog rules and take out error or denied out
>> of
>> the BAD WORDS variable.
>>
>> Any ideas??  Something I'm overlooking?
>>
>> thanks
>> steve
>>
>

References:
- [ossec-list] Disabling Certain Message Triggers
  - From: swbradley1
- [ossec-list] Re: Disabling Certain Message Triggers
  - From: Meir Michanie

Prev by Date: [ossec-list] Re: ossec 0.9
Next by Date: [ossec-list] error 1403: incorrectly formated message
Previous by thread: [ossec-list] Re: Disabling Certain Message Triggers
Next by thread: [ossec-list] Rearrenging rules, contrib solution
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.