[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] rule override

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] rule override
From: "jepa kazol" <jepakazol@xxxxxxxxx>
Date: Mon, 28 May 2007 16:00:16 +0300
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=gSgvCP/dzak3LJGDoty3gaxPVV4Y+2C/3FdfCZomUV865pmTHpZ0qoNt1808JjpG4DBO107+LAZO9UI4KD3b6N3f8Y6xjKD9tblPsgkka7rgYYr4+VxRnPGbph/zgnEeXhAgJXfWospcnvdUuFRbUMFig7/M1HvZCE/uQ/HTngY=

Hi folks. I have a problem with rule overriding. I want to ignore the rules for "CRON[11681]: (pam_unix) session closed for user root". I edited the local_rules.xml like this:

<rule id="100002" level="0" noalert="1">
    <if_sid>5501,5502</if_sid>
    <match>CRON</match>
    <description>CRON LOGINS</description>
</rule>

But I still get the alert. I tried with deleting the noalert directive and no chance I always get the alert for CRON jobs.. What can I do with it?
(I included local_rules.xml in the ossec.conf).

I am using version 1.1. Is there any upgrade guide to version 1.2

Follow-Ups:
- [ossec-list] Re: rule override
  - From: [ackstorm]

Prev by Date: [ossec-list] Re: OSSEC-WUI question
Next by Date: [ossec-list] OpenBSD 3.8, OSSEC 1.2 Problem
Previous by thread: [ossec-list] Re: Disable rootcheck / OSSEC inside openvz VPS
Next by thread: [ossec-list] Re: rule override
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.