[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: My own rules
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: My own rules
- From: Dan <securitydan@xxxxxxxxx>
- Date: Wed, 19 Sep 2007 11:15:56 +0200
- Authentication-results: mx.google.com; spf=pass (google.com: domain of securitydan@xxxxxxxxx designates 64.233.182.191 as permitted sender) smtp.mail=securitydan@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; bh=AmO4VuX9SI2jw3ISI5BE/d/B+6hSrx9pGjmVvZJjABc=; b=c6c3SCtYekRKvv4umT+M7SyajOVKxiuX89haVUjq1FB5h0YNs8wrZZbe8O5CK2xYvbITFXFcgJ/t9sgJHcr+WqAw5pxMFHZO/aV4JkA2TgL0fOxx4gVBcOJ4ZybyWfME+qEwQHMVc/N4q9ltTyIh7xertyKUGSAKlYrYIuBbeR8=
Hi
I have also a logifle from a ressouce whcih isn't integrated in ossec
right now. How can i add the support and my own rules for that?
I added the logfile in the ossec.conf and as format syslog. But now
all logfiles will be processed by the syslog rules. How can i force
ossec to use my own rules for exactly this logfile?
Regards,
Dan
Am 19.09.2007 um 03:18 schrieb Daniel Cid:
>
> Hi Daniel,
>
> Regarding how to write the rules, the following documents can help:
>
> http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
> http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 9/18/07, Peter M. Abraham <peter.m.abraham@xxxxxxxxx> wrote:
>>
>> Greetings Daniel:
>>
>> Custom rules can be placed in /var/ossec/rules/local_rules.xml
>>
>> Thank you.
>>
>>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.