Hi Dave,
If you are trying to ignore these messages, you can set the level to 0
(no need to increase the
severity).
<rule id="100101" level="0">
<if_sid>1002</if_sid>
<match>update.bad.phishing.sites|getpeername failed</match>
<description>Ignored messages.</description>
</rule>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Jan 16, 2008 5:23 AM, Dave Rutlidge <[EMAIL PROTECTED]> wrote:
>
> The current incarnation is to change rule 1002 to
>
> <rule id="1002" level="2">
> <match>$BAD_WORDS</match>
> <!-- options>alert_by_email</options -->
> <description>Unknown problem somewhere in the system.</description>
> </rule>
>
> to prevent the rule sending emails then add
>
> <rule id="100101" level="8">
> <if_sid>1002</if_sid>
> <match>update.bad.phishing.sites|getpeername failed</match>
> <options>no_email_alert</options>
> <description>Unknown problem somewhere in the system.</description>
> </rule>
>
> to send emails for anything but the false positives. I don't really like
> this solution (even if it works, and I don't yet know if it does) because it
> elevates the rule to level 8.
>
> ________________________________
> From: Steve McMaster [mailto:[EMAIL PROTECTED]
>
> To: ossec-list@googlegroups.com
> Sent: Tue, 15 Jan 2008 12:46:16 +0000
>
>
> Subject: [ossec-list] Re: How do I turn off the emails for certain rules
>
>
> I think it would probably be better to just tune the false positives,
> rather than the whole rule. That way, if one of these alerts should turn
> out to be a real problem, you don't suppress the email.
>
> Can you maybe send the local rule you had tried creating? I have a few
> examples of exceptions to rule 1002 that I've created to ignore false
> positives if you'd like to take a look and see how I did it.
>
> Dave Rutlidge wrote:
> > Hi Steve,
> >
> > Yes it does. The rule I was talking about was 1002, which does have the
> > alert by email option set. I'd tried creating a local rule to ignore
> > rule 1002 when certain strings were matched to try to stop the unwanted
> > emails, but that didn't seem to work (your reply explains why).
> >
> > I guess I'll have to change the definition of rule 1002 to not email,
> > then add a custom rule to email the ones that don't match the false
> > positives I'm getting. How would I write a match or regex to say
> >
> > <match>*neither of*(string a|string b)</match>
> >
> > Thanks
> >
> > Dave
> >
> > ------------------------------------------------------------------------
> > *From:* Steve McMaster [mailto:[EMAIL PROTECTED]
> > *To:* ossec-list@googlegroups.com
> > *Sent:* Mon, 14 Jan 2008 17:15:37 +0000
> > *Subject:* [ossec-list] Re: How do I turn off the emails for certain
> > rules
> >
> >
> > It depends on why the rule is alerting. Some rules are configured to
> > always email, regardless of their level, and some rules will email
> > because their level is at or above your configured "email_alert_level."
> >
> > An example of the first would be rule 502, located in
> > $OSSEC_DIR/rules/ossec_rules.xml. The definition for this rule should
> > look like this:
> >
> > <rule id="502" level="3">
> > <if_sid>500</if_sid>
> > <options>alert_by_email</options>
> > <match>Ossec started</match>
> > <description>Ossec server started.</description>
> > </rule>
> >
> > If you want to disable a rule like this, just remove the options line
> > (or, if there are multiple options, just remove "alert_by_email").
> >
> > For the other case, you have two choices. You can either raise
> > "email_alert_level" in $OSSEC_DIR/etc/ossec.conf, or you can create a
> > custom rule that will override the level. If you want to create a custom
> > rule, I wrote an article on how to tune unwanted rules. You can find it
> > at http://news.hurricanelabs.com/article.php?story=20071228095952670.
> >
> > Hope this answers your question.
> >
> > Dave Rutlidge wrote:
> > > Some rules always send emails, but I don;t want tem to. How can I turn
> > > off email notification for specific rules?
> > >
> > > TIA
> > >
> > > Dave
> >
>
