OSSEC RULES tips
How add exception rule
see: http://stackoverflow.com/questions/8921570/ossec-how-add-exception-rule
for instance not getting alerts like this
Received From: (xxx) x.x.x.66->/var/log/syslog Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Jul 24 18:42:51 xxx opendkim[25819]: 9E14330007C: s=smtpout d=messagingengine.com SSL error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
adding execption
local_rules.xml
<var name="GOOD_WORDS">opendkim</var> ... <rule id="100002" level="0"> <if_sid>1002</if_sid> <match>$GOOD_WORDS</match> <description>Ignore good_words.</description> </rule>