====== OSSEC RULES tips ======

===== How add exception rule =====
see: http://stackoverflow.com/questions/8921570/ossec-how-add-exception-rule


for instance not getting alerts like this

<code>
Received From: (xxx) x.x.x.66->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jul 24 18:42:51 xxx opendkim[25819]: 9E14330007C: s=smtpout d=messagingengine.com SSL error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
</code>

adding execption

<code |local_rules.xml>
<var name="GOOD_WORDS">opendkim</var>

...

  <rule id="100002" level="0">
    <if_sid>1002</if_sid>
    <match>$GOOD_WORDS</match>
    <description>Ignore good_words.</description>
  </rule>

</code>