Difference between revisions of "Modifying default OSSEC rules"

Home > CentOS > CentOS 6.x > Security tools > OSSEC > Modifying default OSSEC rules

Disable email alerts

To disable email alerts from a rule use one of the following three ways:

• Comment <option>alert_by_email</option>
• Decrease level so that there is no alert by default
• Explicitly specify <option>no_email_alert</option>

This may be required for very generic 1002, 1003 rules which generate too many alerts otherwise.

More rule syntax at http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html

Disable particular rule using local_rules.xml

To disable particular rule using '/var/ossec/rules/local_rules.xml' use following definition:

    <rule id="100002" level="0">
      <if_sid>40111</if_sid>
      <description>Ignoring authentication failures from radius server</description>
    </rule>

Ignore VPN server's LDAP object failed notifications from OSSEC

To ignore particular type of alerts which get caught as catch-all (unknown 1002 rule) use:

   <rule id="100031" level="0">
      <if_sid>1002</if_sid>
      <match>LDAP search failed: No such object</match>
      <description>Ignored LDAP search failed on VPN server</description>
   </rule>

Steps learned from http://www.linuxbsdos.com/2015/02/26/configure-ossec-to-not-email-alerts-on-iptables-denied-messages/

Refer http://osdir.com/ml/ossec-list/2010-03/msg00215.html and examples in the local_rules.xml file. More syntax at http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html

Home > CentOS > CentOS 6.x > Security tools > OSSEC > Modifying default OSSEC rules