Hi Mark, OSSEC will not convert the > and < back to > and <. The ">" you can use without problems, but the "<" needs to be escaped to "\<" (but this is only supported on the latest CVS snapshot).
You can probably use: <rule id="100001" level="0"> <if_sid>1002</if_sid> <program_name>exim</program_name> <match>UnhandledExceptionError| => |</match> <description>Ignore successful emails</description> </rule> Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Aug 19, 2009 at 12:56 PM, Mark Smith<mark.sm...@avcosystems.co.uk> wrote: > I'm getting a lot of messages about successful emails when the subject, > sender or recipient contains a "bad word" since it triggers rule 1002 > (examples attached) > > I was hoping that adding this to local_rules.xml on the server would > suppress it, but so far no luck: > > <rule id="100001" level="0"> > <if_sid>1002</if_sid> > <program_name>exim</program_name> > <options>no_email_alert</options> > <match> => | <= </match> > <description>Ignore successful emails</description> > </rule> > > Is there a way to diagnose rules, or to find out of the config on the agent > actually sees this rule? > > Thanks, > > -- > Mark Smith >