[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: rule override

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: rule override
From: Iñaki Rodríguez "[ackstorm]" <irodriguez@xxxxxxxxxxx>
Date: Mon, 28 May 2007 16:56:40 +0200
Content-transfer-encoding: quoted-printable


Hi,

try to use program_name instead match directive.

Greetings


El lun, 28-05-2007 a las 16:00 +0300, jepa kazol escribió:
> Hi folks. I have a problem with rule overriding. I want to ignore the
> rules for "CRON[11681]: (pam_unix) session closed for user root". I
> edited the local_rules.xml like this:
> 
> <rule id="100002" level="0" noalert="1"> 
>     <if_sid>5501,5502</if_sid>
>     <match>CRON</match>
>     <description>CRON LOGINS</description>
>  </rule>
> 
> 
> But I still get the alert. I tried with deleting the noalert directive
> and no chance I always get the alert for CRON jobs.. What can I do
> with it? 
> (I included local_rules.xml in the ossec.conf).
> 
> I am using version 1.1. Is there any upgrade guide to version 1.2
-- 
---
Iñaki Rodríguez
irodriguez@xxxxxxxxxxx
Departamento de Sistemas

Oficina central: (+34) 902 888 345
Asistencia técnica: (+34) 902 888 408

ACK STORM, S.L.
http://www.ackstorm.es

References:
- [ossec-list] rule override
  - From: jepa kazol

Prev by Date: [ossec-list] OpenBSD 3.8, OSSEC 1.2 Problem
Next by Date: [ossec-list] Re: OpenBSD 3.8, OSSEC 1.2 Problem
Previous by thread: [ossec-list] rule override
Next by thread: [ossec-list] OpenBSD 3.8, OSSEC 1.2 Problem
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.