Hi Dave, If you are trying to ignore these messages, you can set the level to 0 (no need to increase the severity).
<rule id="100101" level="0"> <if_sid>1002</if_sid> <match>update.bad.phishing.sites|getpeername failed</match> <description>Ignored messages.</description> </rule> Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Jan 16, 2008 5:23 AM, Dave Rutlidge <[EMAIL PROTECTED]> wrote: > > The current incarnation is to change rule 1002 to > > <rule id="1002" level="2"> > <match>$BAD_WORDS</match> > <!-- options>alert_by_email</options --> > <description>Unknown problem somewhere in the system.</description> > </rule> > > to prevent the rule sending emails then add > > <rule id="100101" level="8"> > <if_sid>1002</if_sid> > <match>update.bad.phishing.sites|getpeername failed</match> > <options>no_email_alert</options> > <description>Unknown problem somewhere in the system.</description> > </rule> > > to send emails for anything but the false positives. I don't really like > this solution (even if it works, and I don't yet know if it does) because it > elevates the rule to level 8. > > ________________________________ > From: Steve McMaster [mailto:[EMAIL PROTECTED] > > To: ossec-list@googlegroups.com > Sent: Tue, 15 Jan 2008 12:46:16 +0000 > > > Subject: [ossec-list] Re: How do I turn off the emails for certain rules > > > I think it would probably be better to just tune the false positives, > rather than the whole rule. That way, if one of these alerts should turn > out to be a real problem, you don't suppress the email. > > Can you maybe send the local rule you had tried creating? I have a few > examples of exceptions to rule 1002 that I've created to ignore false > positives if you'd like to take a look and see how I did it. > > Dave Rutlidge wrote: > > Hi Steve, > > > > Yes it does. The rule I was talking about was 1002, which does have the > > alert by email option set. I'd tried creating a local rule to ignore > > rule 1002 when certain strings were matched to try to stop the unwanted > > emails, but that didn't seem to work (your reply explains why). > > > > I guess I'll have to change the definition of rule 1002 to not email, > > then add a custom rule to email the ones that don't match the false > > positives I'm getting. How would I write a match or regex to say > > > > <match>*neither of*(string a|string b)</match> > > > > Thanks > > > > Dave > > > > ------------------------------------------------------------------------ > > *From:* Steve McMaster [mailto:[EMAIL PROTECTED] > > *To:* ossec-list@googlegroups.com > > *Sent:* Mon, 14 Jan 2008 17:15:37 +0000 > > *Subject:* [ossec-list] Re: How do I turn off the emails for certain > > rules > > > > > > It depends on why the rule is alerting. Some rules are configured to > > always email, regardless of their level, and some rules will email > > because their level is at or above your configured "email_alert_level." > > > > An example of the first would be rule 502, located in > > $OSSEC_DIR/rules/ossec_rules.xml. The definition for this rule should > > look like this: > > > > <rule id="502" level="3"> > > <if_sid>500</if_sid> > > <options>alert_by_email</options> > > <match>Ossec started</match> > > <description>Ossec server started.</description> > > </rule> > > > > If you want to disable a rule like this, just remove the options line > > (or, if there are multiple options, just remove "alert_by_email"). > > > > For the other case, you have two choices. You can either raise > > "email_alert_level" in $OSSEC_DIR/etc/ossec.conf, or you can create a > > custom rule that will override the level. If you want to create a custom > > rule, I wrote an article on how to tune unwanted rules. You can find it > > at http://news.hurricanelabs.com/article.php?story=20071228095952670. > > > > Hope this answers your question. > > > > Dave Rutlidge wrote: > > > Some rules always send emails, but I don;t want tem to. How can I turn > > > off email notification for specific rules? > > > > > > TIA > > > > > > Dave > > >