Modifying default OSSEC rules

From Notes_Wiki
Revision as of 05:37, 14 April 2015 by Saurabh (talk | contribs) (Created page with "<yambe:breadcrumb>OSSEC|OSSEC</yambe:breadcrumb> =Modifying default OSSEC rules= ==Disable email alerts== To disable email alerts from a rule use '''one of the following thre...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

<yambe:breadcrumb>OSSEC|OSSEC</yambe:breadcrumb>

Modifying default OSSEC rules

Disable email alerts

To disable email alerts from a rule use one of the following three ways:

  • Comment <option>alert_by_email</option>
  • Decrease level so that there is no alert by default
  • Explicitly specify <option>no_email_alert</option>

This may be required for very generic 1002, 1003 rules which generate too many alerts otherwise.

More rule syntax at http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html


Disable particular rule using local_rules.xml

To disable particular rule using '/var/ossec/rules/local_rules.xml' use following definition: 

    <rule id="100002" level="0">
      <if_sid>40111</if_sid>
      <description>Ignoring authentication failures from radius server</description>
    </rule>

Refer http://osdir.com/ml/ossec-list/2010-03/msg00215.html and examples in the local_rules.xml file. More syntax at http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Modifying_default_OSSEC_rules&oldid=2079"