Hi Adam, You have two options. If you have users A, B, C and D and you only want to get the alerts for users A and B. You can:
-Write a rule matching on these two users and ignore the others: <rule id="100456" level="0"> <if_sid>xyz</if_sid> <match>Ignoring for everything...</match> </rule> <rule id="100457" level="10"> <if_sid>100456</if_sid> <user>A|B</user> <match>Alert for users A and B</match> </rule> -Or write a rule to ignore for users C and D and alert for all others: <rule id="100456" level="10"> <if_sid>xyz</if_sid> <match>Alert everything...</match> </rule> <rule id="100457" level="0"> <if_sid>100456</if_sid> <user>C|D</user> <match>Ignore for users C and D</match> </rule> Makes sense? thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Aug 19, 2009 at 9:47 AM, Adam Gardner<agentgr...@gmail.com> wrote: > > Ok, but what if you are trying to alert on user lock outs in AD, but > only want to see the service accounts being locked out. How would you > go about ignoring all the other users in the company and only match > the service accounts? Would you have to put each service account in > the rule? > > On Jul 23, 1:44 pm, Daniel Cid <daniel....@gmail.com> wrote: >> Hi Rafael, >> >> If you don't want an alert if the log matches a string, just set the >> severity to 0. For example: >> >> <rule id="100456" level="0"> >> <if_sid>xyz</if_sid> >> <match>testing this rule</match> >> </rule> >> >> It accomplishes the same thing as the negation. >> >> Thanks, >> >> -- >> Daniel B. Cid >> dcid ( at ) ossec.net >> >> On Fri, Jul 10, 2009 at 3:42 PM, Rafael Gomes<rafael.go...@ufba.br> wrote: >> >> > Hi, >> >> > I wanna modify a rule to don't get a alert that match with testing this >> > rule (for exemple) >> >> > I should put this in the rule: >> >> > <match>!testing this rule</match> >> >> > Correct? >> >> > Thanks! >> > -- >> > Rafael Brito Gomes >> > Projeto UFBA >> > LPIC-1 >> > CPM Braxis >> > Tel : +55 71 3283 6102 >> >http://www.cpmbraxis.com >
