[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Hmmm... More on ignoring certain alerts

To: OSSEC Users List <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Hmmm... More on ignoring certain alerts
From: "Kayvan A. Sylvan" <kayvan@xxxxxxxxxx>
Date: Fri, 16 Feb 2007 10:16:34 -0800
Content-disposition: inline

Okay, following up on ignoring certain alerts:

Part of my local_rules.xml is:

 <rule id="100070" level="0">
    <if_sid>1002</if_sid>
    <match>smbd\.*   Denied connection from  (0.0.0.0)</match>
    <description>Ignoring smbd denied connection from</description>
  </rule>

And yet, I am still getting these:

  OSSEC HIDS Notification.
  2007 Feb 16 09:52:22

  Received From: server->/var/log/messages
  Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
  Portion of the log(s):

  Feb 16 09:52:21 server smbd[14947]:   Denied connection from  (0.0.0.0) 

What am I doing wrong?

Thanks.

			---Kayvan
-- 
Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)

Follow-Ups:
- [ossec-list] Re: Hmmm... More on ignoring certain alerts
  - From: Mark Haney

Prev by Date: [ossec-list] Re: RootCheck and Oracle - Disable RootCheck on specific interface?
Next by Date: [ossec-list] Re: Hmmm... More on ignoring certain alerts
Previous by thread: [ossec-list] Re: RootCheck and Oracle - Disable RootCheck on specific interface?
Next by thread: [ossec-list] Re: Hmmm... More on ignoring certain alerts
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.