Le 03/05/2012 16:52, A-Dubbs a écrit :
In which file would I create level 0 rules at your prescribe wouldn't
trigger alerts and wouldn't be log anything in alerts.log? In Dan
(ddp)'s first reply in this thread, he advised me ( I'm brand new to
OSSEC but really trying here!!!) to not modify the msauth_rules.xml
file. I pretty much understand why after he explained why I shouldn't,
but I don't see any other place but the msauth_rules.xml file to lower
the level on some of these low-to-mid level alerts on the file so they
won't trigger alerts in alerts.log file. For example, when a windows
workstation's system account logs onto the domain controller,
WINDOWS_LOGIN_SUCCESS, or a user logon on, AUDIT_SUCCESS), I don't
think should see OSSEC triggering an alert on my system.
Every rule you want to update or create have to be in
/var/ossec/rules/local_rules.xml.
Either overwrite existing rule to decrease its level to zero, eg:
<rule id="18107" level="0" overwrite="yes">
<description>Ignoring Windows Logoff.</description>
<match>^WinEvtLog: Security: AUDIT_SUCCESS</match>
</rule>
or create your own new rule (id>1000000) to remove certain false
positive alerts, eg:
<rule id="100002" level="0">
<if_sid>1002</if_sid>
<program_name>snmptrapd</program_name>
<description>Ignoring unknown problem somewhere in the system
for snmptrapd</description>
</rule>
Everything is detailed in the documentation.
Don't forget to load local_rules.xml in ossec.conf
--
Cheers,
Florian Crouzat