[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Still getting those smbd alerts I am trying to ignore

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Still getting those smbd alerts I am trying to ignore
From: Michael Starks <ossec@xxxxxxxxxxxxxxxxx>
Date: Sat, 17 Feb 2007 17:23:36 -0500
Content-transfer-encoding: 7bit

Kayvan A. Sylvan wrote:
> My local_rules.xml contains these snippets:
> 
>   <rule id="100070" level="0">
>     <if_sid>1002</if_sid>
>     <program_name>smbd</program_name>
>     <regex>^\s*Denied connection from  (0.0.0.0)</regex>
>     <description>Ignoring smbd denied connection from</description>
>   </rule>
> 
>   <rule id="100080" level="0">
>     <if_sid>1002</if_sid>
>     <program_name>smbd</program_name>
>     <regex>^\s*Connection denied from  (0.0.0.0)</regex>
>     <description>Ignoring smbd denied connection from</description>
>   </rule>

Try changing this: <regex>^\s*Connection denied from  (0.0.0.0)</regex>
To this: <regex>^\s*Connection denied from 0.0.0.0</regex>
Or this: <match>Connection denied from 0.0.0.0</match>

Follow-Ups:
- [ossec-list] Re: Still getting those smbd alerts I am trying to ignore
  - From: Kayvan A. Sylvan

References:
- [ossec-list] Still getting those smbd alerts I am trying to ignore
  - From: Kayvan A. Sylvan

Prev by Date: [ossec-list] Still getting those smbd alerts I am trying to ignore
Next by Date: [ossec-list] Re: Still getting those smbd alerts I am trying to ignore
Previous by thread: [ossec-list] Still getting those smbd alerts I am trying to ignore
Next by thread: [ossec-list] Re: Still getting those smbd alerts I am trying to ignore
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.