[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: What is the best way to preserve the excluded rules in ossec.conf
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: What is the best way to preserve the excluded rules in ossec.conf
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Thu, 9 Aug 2007 23:49:12 -0300
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=L9zWvgETes2bcmt2uGSg9u6b1iSGUfBjJKJk0VdRi/k6eo6WAmiVQ7TFnzkXhgBSWvrYn+Pd5pBp+/7uIiuzOmavT2nrpPVqr7KVTtRicXwC5qjvdfnM3afIAjsueMGm+rCqjyiYewotuLnYToeKJCcxQ1tF+PPx2lryQCI24uM=
Hi Peter,
Yes, you should always set your rules on local_rules.xml, and never modify
the default ones.
http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
I also explain a bit about it on my presentation at AusCERT earlier this year:
http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/9/07, Peter M. Abraham <peter.m.abraham@xxxxxxxxx> wrote:
>
> Greetings:
>
> This morning I upgraded our ossec server (we use the client/agent
> server approach) from 1.2 to 1.3.
>
> Since we are still in the testing phase of ossec, and I was not sure
> what rules were updated, I did answer "yes" to upgrade, but also "yes"
> to install new rules.
>
> I found that while most of /var/ossec/etc/ossec.conf was preserved,
> the rules I had previously commented out where now uncommented.
>
> Is there a "best practice" way of excluding rules from being processed
> that can be preserved across updates? If so, how?
>
> Thank you.
>
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.