hi list, second post.
I tried to add a new filter file in order to set up my own rules.
I copied firewall_rules.xml to user_defined.xml
I changed the numbers to 9000 , 9001 ...
adding the rules file as last in etc/ossec.conf does not gives any error but does not detect nothing
adding it first fails to start saying that can not find category 3
adding it just before firewall_rules works.
RFC are welcome.
inline is the new file user_defined_rules.xml
<group name="ids">
<rule id="9000" level="0">
<category>firewall</category>
<description>Firewall rules grouped.</description>
</rule>
<rule id="9099" level="10">
<if_sid>9000</if_sid>
<regex>DPT=22</regex>
<description>Someone connected to port 22</description>
</rule>
</group>