[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: False positive

To: ossec-list <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Re: False positive
From: DrBob <drbob@xxxxxxxxxxxx>
Date: Fri, 13 Jul 2007 05:38:05 -0700

Already found some examples on the wiki (but rather hard to find I
admit).
I created this rule

<group name="local">
 <rule id="100101" level="0">
   <if_sid>31106</if_sid>
   <match>splunk</match>
   <user>drbob</user>
   <description>Events ignored</description>
 </rule>
</group>

This should work for me as it ignores the main rule when I use splunk
(which is proxied by apache from port 8000 to port 80) when I logon.
When someone else tries to logon it should still fire and trigger an
active response.

References:
- [ossec-list] False positive
  - From: manu.delcon

Prev by Date: [ossec-list] Re: What happens if the ossec server is down?
Next by Date: [ossec-list] Re: False positive
Previous by thread: [ossec-list] False positive
Next by thread: [ossec-list] Re: False positive
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.