Hi Peter, If you just want to change the severity, just copy the rule to local_rules.xml and set 'overwrite = "yes"', and the original one will be changed. This feature is not well documented, but this presentation explains it a bit:
http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf Also here: http://www.ossec.net/ossec-list/2007-March/msg00079.html example (to overwrite rule 1002): <rule id ="1002" level = "10" overwrite="yes"> .. </rule> or: <rule id="1002" level="8" overwrite="yes"> <match>Segmentation|XYZ</match> <description>Rule 1002 overwriten. </description> </rule> Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 8/9/07, Peter M. Abraham <[EMAIL PROTECTED]> wrote: > > Greetings: > > What is the best way to modify the included ossec rules to change the > alert levels so those changes will be preserved come upgrade time? > > If I copy the rule set to local_rules.xml, then do rules in > local_rules.xml that have the exact same rule id as another file (say > apache_rules.xml) override apache_rules.xml for the given rule in > question? > > Thank you. > >