OSSEC RULES tips

How add exception rule

see: http://stackoverflow.com/questions/8921570/ossec-how-add-exception-rule

for instance not getting alerts like this

Received From: (xxx) x.x.x.66->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jul 24 18:42:51 xxx opendkim[25819]: 9E14330007C: s=smtpout d=messagingengine.com SSL error:04091068:rsa routines:INT_RSA_VERIFY:bad signature

adding execption

local_rules.xml

<var name="GOOD_WORDS">opendkim</var>

...

  <rule id="100002" level="0">
    <if_sid>1002</if_sid>
    <match>$GOOD_WORDS</match>
    <description>Ignore good_words.</description>
  </rule>

ossec/rules.txt · Last modified: 2014/07/24 19:03 by a
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready