[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: What is the best way to modify included rules for alert levels
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: What is the best way to modify included rules for alert levels
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Thu, 9 Aug 2007 23:56:25 -0300
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=M1zzo96FoKGgfD1GEw15bJ+VVyaLsrw11PxuUWoqSR6Q23SqqJAyAqeYp9fi3fVCu5tiFuaZWvcIqi7WaOopxJLf/fyc3uOUS9EQoN2siIJf9albqrqUrFKDPqMAcw9s0I4O62jbGzJrmu/DjfvcF++ETQDNbreUdr1btYNv0mQ=
Hi Peter,
If you just want to change the severity, just copy the rule to local_rules.xml
and set 'overwrite = "yes"', and the original one will be changed. This feature
is not well documented, but this presentation explains it a bit:
http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
Also here:
http://www.ossec.net/ossec-list/2007-March/msg00079.html
example (to overwrite rule 1002):
<rule id ="1002" level = "10" overwrite="yes">
..
</rule>
or:
<rule id="1002" level="8" overwrite="yes">
<match>Segmentation|XYZ</match>
<description>Rule 1002 overwriten. </description>
</rule>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/9/07, Peter M. Abraham <peter.m.abraham@xxxxxxxxx> wrote:
>
> Greetings:
>
> What is the best way to modify the included ossec rules to change the
> alert levels so those changes will be preserved come upgrade time?
>
> If I copy the rule set to local_rules.xml, then do rules in
> local_rules.xml that have the exact same rule id as another file (say
> apache_rules.xml) override apache_rules.xml for the given rule in
> question?
>
> Thank you.
>
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.