Re: [ossec-list] Local Rules Syntax
Hi, Can you post the alert you are trying to ignore? Your hostname syntax is correct and should have worked. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Mar 5, 2010 at 2:47 PM, Jefferson, Shawn shawn.jeffer...@bcferries.com wrote: Thanks, that helps! I guess I still have the issue that hostnamesnort01|snort02/hostname is not working for the second hostname (ie. alerts are being fired still.) From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of oscar schneider Sent: Friday, March 05, 2010 4:54 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Local Rules Syntax No what he is trying to say is that you do not push the rules to the agents, only configs. This is because the rules are not needed by the agents. The rules are only used by the ossec-analysisd, which doesnt run on agents, but on the server only. The ossec.conf and agent.conf are also read by agent side daemons, e.g. syscheck and logcollector. On the agent side, for log analysis only the following things happen: 1. ossec-logcollector reads ossec.conf and agent.conf. From there it extracts the locations of files it needs to monitor. 2. Every time one of these logfiles get a new log entry, logcollector will notice and write it to a socket. 3. ossec-agentd forwards the contents of that socket to the server. The server will do the following: 1. ossec-analysisd reads decoder.xml and all rule files as specified in ossec.conf 2. When remoted receives a message from an agent, it forwards that message to analysisd 3. Analysisd runs predecoder (hard coded afaik), the appropriate decoder (as defined in decoder.xml) and then starts rule matching, i.e. compares the output of the decoding phase with the rules. Analysisd maybe has to consider a rule chain, e.g. if a decoded message matches rule 1000, rule 1001 has if_sid1000/if_sid and matches also then 1001 would be returned instead of stopping at 1000. 4. After determining the final rule that is matches, an alert is generated. If specified by the rules options and alert level e.g. an active response or email notification. As you can see, the rules are not pushed. They are not necessary on the agent side at all. Changing the local_rules.xml at the server and restarting the server should suffice. On Thu, Mar 4, 2010 at 11:42 PM, Jefferson, Shawn shawn.jeffer...@bcferries.com wrote: Are you saying that you cannot put rules into the local_rules.xml file on the manager and have them applied to agents? I thought I had seen a mailing list post that you could do that. As described above, the rules are not needed for the agent. So what I need to do is make a change to the local_rules.xml file on each agent where I want to ignore this event? No Thanks, Shawn From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Wim Remes Sent: Thursday, March 04, 2010 11:03 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Local Rules Syntax Hi, you don't push out rules, you push out config files, as specified here : http://www.ossec.net/main/manual/centralized-config/ here you can specify configurations as follows : agent_config name=”agent1|agent2″ localfile location/var/log/my.log/location log_formatsyslog/log_format /localfile /agent_config the hostnamehost1|host2/hostname should work on the event coming from either of both hosts. Kind Regards, Wim On 04 Mar 2010, at 18:06, Jefferson, Shawn wrote: Hi, I have tried this, but unfortunately it doesn’t seem to work for the “snort02” hostname (ie. I still get alerts from that machine, but not from the snort01. Thanks, Shawn From: ossec-l...@googlegroups.com [mailto:ossec-l...@googlegroups.com] on Behalf Of oscar schneider Sent: Wednesday, March 03, 2010 4:35 AM To: ossec-l...@googlegroups.com Subject: Re: [ossec-list] Local Rules Syntax Hey, not sure at the moment but I think it should be hostnamesnort01|snort02/hostname instead. Kind regards, oscar On Tue, Mar 2, 2010 at 6:55 PM, Jefferson, Shawn shawn.jeffer...@bcferries.com wrote: Hi, I’m putting some local rules into the local_rules.xml file on the manager (from what I’ve read you can put them here to push out to your agents?) Can you use a comma separated list in hostname like so ? group name=local,snort rule id=100100 level=0 noalert=1 if_sid20100/if_sid hostnamesnort01, snort02/hostname descriptionIgnoring snort events/description /rule /group Or should you use a regex? Thanks, Shawn
RE: [ossec-list] Local Rules Syntax
Maybe you could write your rule like this: rule id=“ ... hostnamesnort01/hostname hostnamesnort02/hostname ... /rule I'm not sure if it is going to work, but it doesn't hurt to try. Best regards, Branimir From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Jefferson, Shawn Sent: Friday, March 05, 2010 7:47 PM To: ossec-list@googlegroups.com Subject: RE: [ossec-list] Local Rules Syntax Thanks, that helps! I guess I still have the issue that hostnamesnort01|snort02/hostname is not working for the second hostname (ie. alerts are being fired still.) From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of oscar schneider Sent: Friday, March 05, 2010 4:54 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Local Rules Syntax No what he is trying to say is that you do not push the rules to the agents, only configs. This is because the rules are not needed by the agents. The rules are only used by the ossec-analysisd, which doesnt run on agents, but on the server only. The ossec.conf and agent.conf are also read by agent side daemons, e.g. syscheck and logcollector. On the agent side, for log analysis only the following things happen: 1. ossec-logcollector reads ossec.conf and agent.conf. From there it extracts the locations of files it needs to monitor. 2. Every time one of these logfiles get a new log entry, logcollector will notice and write it to a socket. 3. ossec-agentd forwards the contents of that socket to the server. The server will do the following: 1. ossec-analysisd reads decoder.xml and all rule files as specified in ossec.conf 2. When remoted receives a message from an agent, it forwards that message to analysisd 3. Analysisd runs predecoder (hard coded afaik), the appropriate decoder (as defined in decoder.xml) and then starts rule matching, i.e. compares the output of the decoding phase with the rules. Analysisd maybe has to consider a rule chain, e.g. if a decoded message matches rule 1000, rule 1001 has if_sid1000/if_sid and matches also then 1001 would be returned instead of stopping at 1000. 4. After determining the final rule that is matches, an alert is generated. If specified by the rules options and alert level e.g. an active response or email notification. As you can see, the rules are not pushed. They are not necessary on the agent side at all. Changing the local_rules.xml at the server and restarting the server should suffice. On Thu, Mar 4, 2010 at 11:42 PM, Jefferson, Shawn shawn.jeffer...@bcferries.com wrote: Are you saying that you cannot put rules into the local_rules.xml file on the manager and have them applied to agents? I thought I had seen a mailing list post that you could do that. As described above, the rules are not needed for the agent. So what I need to do is make a change to the local_rules.xml file on each agent where I want to ignore this event? No Thanks, Shawn From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Wim Remes Sent: Thursday, March 04, 2010 11:03 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Local Rules Syntax Hi, you don't push out rules, you push out config files, as specified here : http://www.ossec.net/main/manual/centralized-config/ here you can specify configurations as follows : agent_config name=”agent1|agent2″ localfile location/var/log/my.log/location log_formatsyslog/log_format /localfile /agent_config the hostnamehost1|host2/hostname should work on the event coming from either of both hosts. Kind Regards, Wim On 04 Mar 2010, at 18:06, Jefferson, Shawn wrote: Hi, I have tried this, but unfortunately it doesn’t seem to work for the “snort02” hostname (ie. I still get alerts from that machine, but not from the snort01. Thanks, Shawn From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of oscar schneider Sent: Wednesday, March 03, 2010 4:35 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Local Rules Syntax Hey, not sure at the moment but I think it should be hostnamesnort01|snort02/hostname instead. Kind regards, oscar On Tue, Mar 2, 2010 at 6:55 PM, Jefferson, Shawn shawn.jeffer...@bcferries.com wrote: Hi, I’m
RE: [ossec-list] Local Rules Syntax
Hi, Sure, it's this: group name=local,snort rule id=100100 level=0 noalert=1 if_sid20100/if_sid hostnamesnort01|snort02/hostname descriptionIgnoring snort events/description /rule /group -- Thanks, Shawn -Original Message- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Daniel Cid Sent: Tuesday, March 09, 2010 4:46 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Local Rules Syntax Hi, Can you post the alert you are trying to ignore? Your hostname syntax is correct and should have worked. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Mar 5, 2010 at 2:47 PM, Jefferson, Shawn shawn.jeffer...@bcferries.com wrote: Thanks, that helps! I guess I still have the issue that hostnamesnort01|snort02/hostname is not working for the second hostname (ie. alerts are being fired still.) From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of oscar schneider Sent: Friday, March 05, 2010 4:54 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Local Rules Syntax No what he is trying to say is that you do not push the rules to the agents, only configs. This is because the rules are not needed by the agents. The rules are only used by the ossec-analysisd, which doesnt run on agents, but on the server only. The ossec.conf and agent.conf are also read by agent side daemons, e.g. syscheck and logcollector. On the agent side, for log analysis only the following things happen: 1. ossec-logcollector reads ossec.conf and agent.conf. From there it extracts the locations of files it needs to monitor. 2. Every time one of these logfiles get a new log entry, logcollector will notice and write it to a socket. 3. ossec-agentd forwards the contents of that socket to the server. The server will do the following: 1. ossec-analysisd reads decoder.xml and all rule files as specified in ossec.conf 2. When remoted receives a message from an agent, it forwards that message to analysisd 3. Analysisd runs predecoder (hard coded afaik), the appropriate decoder (as defined in decoder.xml) and then starts rule matching, i.e. compares the output of the decoding phase with the rules. Analysisd maybe has to consider a rule chain, e.g. if a decoded message matches rule 1000, rule 1001 has if_sid1000/if_sid and matches also then 1001 would be returned instead of stopping at 1000. 4. After determining the final rule that is matches, an alert is generated. If specified by the rules options and alert level e.g. an active response or email notification. As you can see, the rules are not pushed. They are not necessary on the agent side at all. Changing the local_rules.xml at the server and restarting the server should suffice. On Thu, Mar 4, 2010 at 11:42 PM, Jefferson, Shawn shawn.jeffer...@bcferries.com wrote: Are you saying that you cannot put rules into the local_rules.xml file on the manager and have them applied to agents? I thought I had seen a mailing list post that you could do that. As described above, the rules are not needed for the agent. So what I need to do is make a change to the local_rules.xml file on each agent where I want to ignore this event? No Thanks, Shawn From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Wim Remes Sent: Thursday, March 04, 2010 11:03 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Local Rules Syntax Hi, you don't push out rules, you push out config files, as specified here : http://www.ossec.net/main/manual/centralized-config/ here you can specify configurations as follows : agent_config name=”agent1|agent2″ localfile location/var/log/my.log/location log_formatsyslog/log_format /localfile /agent_config the hostnamehost1|host2/hostname should work on the event coming from either of both hosts. Kind Regards, Wim On 04 Mar 2010, at 18:06, Jefferson, Shawn wrote: Hi, I have tried this, but unfortunately it doesn’t seem to work for the “snort02” hostname (ie. I still get alerts from that machine, but not from the snort01. Thanks, Shawn From: ossec-l...@googlegroups.com [mailto:ossec-l...@googlegroups.com] on Behalf Of oscar schneider Sent: Wednesday, March 03, 2010 4:35 AM To: ossec-l...@googlegroups.com Subject: Re: [ossec-list] Local Rules Syntax Hey, not sure at the moment but I think it should be hostnamesnort01|snort02/hostname instead. Kind regards, oscar On Tue, Mar 2, 2010 at 6:55 PM, Jefferson, Shawn shawn.jeffer...@bcferries.com wrote: Hi, I’m putting some local rules into the local_rules.xml file on the manager (from what I’ve read you can put them here to push out to your agents?) Can you use a comma separated list in hostname like so ? group name=local,snort rule id=100100
Re: [ossec-list] Local Rules Syntax
A workaround would be to create 2 rules, one with hostname=host1, one with hostname=host2. But if anyone has any idea how to do it properly, I'd like to know. On Fri, Mar 5, 2010 at 7:47 PM, Jefferson, Shawn shawn.jeffer...@bcferries.com wrote: Thanks, that helps! I guess I still have the issue that hostnamesnort01|snort02/hostname is not working for the second hostname (ie. alerts are being fired still.) -- *From:* ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] *On Behalf Of *oscar schneider *Sent:* Friday, March 05, 2010 4:54 AM *To:* ossec-list@googlegroups.com *Subject:* Re: [ossec-list] Local Rules Syntax No what he is trying to say is that you do not push the rules to the agents, only configs. This is because the rules are not needed by the agents. The rules are only used by the ossec-analysisd, which doesnt run on agents, but on the server only. The ossec.conf and agent.conf are also read by agent side daemons, e.g. syscheck and logcollector. On the agent side, for log analysis only the following things happen: 1. ossec-logcollector reads ossec.conf and agent.conf. From there it extracts the locations of files it needs to monitor. 2. Every time one of these logfiles get a new log entry, logcollector will notice and write it to a socket. 3. ossec-agentd forwards the contents of that socket to the server. The server will do the following: 1. ossec-analysisd reads decoder.xml and all rule files as specified in ossec.conf 2. When remoted receives a message from an agent, it forwards that message to analysisd 3. Analysisd runs predecoder (hard coded afaik), the appropriate decoder (as defined in decoder.xml) and then starts rule matching, i.e. compares the output of the decoding phase with the rules. Analysisd maybe has to consider a rule chain, e.g. if a decoded message matches rule 1000, rule 1001 has if_sid1000/if_sid and matches also then 1001 would be returned instead of stopping at 1000. 4. After determining the final rule that is matches, an alert is generated. If specified by the rules options and alert level e.g. an active response or email notification. As you can see, the rules are not pushed. They are not necessary on the agent side at all. Changing the local_rules.xml at the server and restarting the server should suffice. On Thu, Mar 4, 2010 at 11:42 PM, Jefferson, Shawn shawn.jeffer...@bcferries.com wrote: Are you saying that you cannot put rules into the local_rules.xml file on the manager and have them applied to agents? I thought I had seen a mailing list post that you could do that. As described above, the rules are not needed for the agent. So what I need to do is make a change to the local_rules.xml file on each agent where I want to ignore this event? No Thanks, Shawn -- *From:* ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] *On Behalf Of *Wim Remes *Sent:* Thursday, March 04, 2010 11:03 AM *To:* ossec-list@googlegroups.com *Subject:* Re: [ossec-list] Local Rules Syntax Hi, you don't push out rules, you push out config files, as specified here : http://www.ossec.net/main/manual/centralized-config/ here you can specify configurations as follows : agent_config name=”agent1|agent2″ localfile location/var/log/my.log/location log_formatsyslog/log_format /localfile /agent_config the hostnamehost1|host2/hostname should work on the event coming from either of both hosts. Kind Regards, Wim On 04 Mar 2010, at 18:06, Jefferson, Shawn wrote: Hi, I have tried this, but unfortunately it doesn’t seem to work for the “snort02” hostname (ie. I still get alerts from that machine, but not from the snort01. Thanks, Shawn -- *From:* ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] *On Behalf Of *oscar schneider *Sent:* Wednesday, March 03, 2010 4:35 AM *To:* ossec-list@googlegroups.com *Subject:* Re: [ossec-list] Local Rules Syntax Hey, not sure at the moment but I think it should be hostnamesnort01|snort02/hostname instead. Kind regards, oscar On Tue, Mar 2, 2010 at 6:55 PM, Jefferson, Shawn shawn.jeffer...@bcferries.com wrote: Hi, I’m putting some local rules into the local_rules.xml file on the manager (from what I’ve read you can put them here to push out to your agents?) Can you use a comma separated list in hostname like so ? group name=local,snort rule id=100100 level=0 noalert=1 if_sid20100/if_sid hostnamesnort01, snort02/hostname descriptionIgnoring snort events/description /rule /group Or should you use a regex? Thanks, Shawn
Re: [ossec-list] Local Rules Syntax
The agents don't have a copy of the rules, only the server does. The agents pass the logs onto the server, and the server does all of the processing. So only the server needs a copy of the rules files. On Thu, Mar 4, 2010 at 5:42 PM, Jefferson, Shawn shawn.jeffer...@bcferries.com wrote: Are you saying that you cannot put rules into the local_rules.xml file on the manager and have them applied to agents? I thought I had seen a mailing list post that you could do that. So what I need to do is make a change to the local_rules.xml file on each agent where I want to ignore this event? Thanks, Shawn
RE: [ossec-list] Local Rules Syntax
Thanks, that helps! I guess I still have the issue that hostnamesnort01|snort02/hostname is not working for the second hostname (ie. alerts are being fired still.) From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of oscar schneider Sent: Friday, March 05, 2010 4:54 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Local Rules Syntax No what he is trying to say is that you do not push the rules to the agents, only configs. This is because the rules are not needed by the agents. The rules are only used by the ossec-analysisd, which doesnt run on agents, but on the server only. The ossec.conf and agent.conf are also read by agent side daemons, e.g. syscheck and logcollector. On the agent side, for log analysis only the following things happen: 1. ossec-logcollector reads ossec.conf and agent.conf. From there it extracts the locations of files it needs to monitor. 2. Every time one of these logfiles get a new log entry, logcollector will notice and write it to a socket. 3. ossec-agentd forwards the contents of that socket to the server. The server will do the following: 1. ossec-analysisd reads decoder.xml and all rule files as specified in ossec.conf 2. When remoted receives a message from an agent, it forwards that message to analysisd 3. Analysisd runs predecoder (hard coded afaik), the appropriate decoder (as defined in decoder.xml) and then starts rule matching, i.e. compares the output of the decoding phase with the rules. Analysisd maybe has to consider a rule chain, e.g. if a decoded message matches rule 1000, rule 1001 has if_sid1000/if_sid and matches also then 1001 would be returned instead of stopping at 1000. 4. After determining the final rule that is matches, an alert is generated. If specified by the rules options and alert level e.g. an active response or email notification. As you can see, the rules are not pushed. They are not necessary on the agent side at all. Changing the local_rules.xml at the server and restarting the server should suffice. On Thu, Mar 4, 2010 at 11:42 PM, Jefferson, Shawn shawn.jeffer...@bcferries.commailto:shawn.jeffer...@bcferries.com wrote: Are you saying that you cannot put rules into the local_rules.xml file on the manager and have them applied to agents? I thought I had seen a mailing list post that you could do that. As described above, the rules are not needed for the agent. So what I need to do is make a change to the local_rules.xml file on each agent where I want to ignore this event? No Thanks, Shawn From: ossec-list@googlegroups.commailto:ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.commailto:ossec-list@googlegroups.com] On Behalf Of Wim Remes Sent: Thursday, March 04, 2010 11:03 AM To: ossec-list@googlegroups.commailto:ossec-list@googlegroups.com Subject: Re: [ossec-list] Local Rules Syntax Hi, you don't push out rules, you push out config files, as specified here : http://www.ossec.net/main/manual/centralized-config/ here you can specify configurations as follows : agent_config name=”agent1|agent2″ localfile location/var/log/my.log/location log_formatsyslog/log_format /localfile /agent_config the hostnamehost1|host2/hostname should work on the event coming from either of both hosts. Kind Regards, Wim On 04 Mar 2010, at 18:06, Jefferson, Shawn wrote: Hi, I have tried this, but unfortunately it doesn’t seem to work for the “snort02” hostname (ie. I still get alerts from that machine, but not from the snort01. Thanks, Shawn From: ossec-list@googlegroups.commailto:ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.commailto:ossec-list@googlegroups.com] On Behalf Of oscar schneider Sent: Wednesday, March 03, 2010 4:35 AM To: ossec-list@googlegroups.commailto:ossec-list@googlegroups.com Subject: Re: [ossec-list] Local Rules Syntax Hey, not sure at the moment but I think it should be hostnamesnort01|snort02/hostname instead. Kind regards, oscar On Tue, Mar 2, 2010 at 6:55 PM, Jefferson, Shawn shawn.jeffer...@bcferries.commailto:shawn.jeffer...@bcferries.com wrote: Hi, I’m putting some local rules into the local_rules.xml file on the manager (from what I’ve read you can put them here to push out to your agents?) Can you use a comma separated list in hostname like so ? group name=local,snort rule id=100100 level=0 noalert=1 if_sid20100/if_sid hostnamesnort01, snort02/hostname descriptionIgnoring snort events/description /rule /group Or should you use a regex? Thanks, Shawn
RE: [ossec-list] Local Rules Syntax
Hi, I have tried this, but unfortunately it doesn't seem to work for the snort02 hostname (ie. I still get alerts from that machine, but not from the snort01. Thanks, Shawn From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of oscar schneider Sent: Wednesday, March 03, 2010 4:35 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Local Rules Syntax Hey, not sure at the moment but I think it should be hostnamesnort01|snort02/hostname instead. Kind regards, oscar On Tue, Mar 2, 2010 at 6:55 PM, Jefferson, Shawn shawn.jeffer...@bcferries.commailto:shawn.jeffer...@bcferries.com wrote: Hi, I'm putting some local rules into the local_rules.xml file on the manager (from what I've read you can put them here to push out to your agents?) Can you use a comma separated list in hostname like so ? group name=local,snort rule id=100100 level=0 noalert=1 if_sid20100/if_sid hostnamesnort01, snort02/hostname descriptionIgnoring snort events/description /rule /group Or should you use a regex? Thanks, Shawn
Re: [ossec-list] Local Rules Syntax
Hi, you don't push out rules, you push out config files, as specified here : http://www.ossec.net/main/manual/centralized-config/ here you can specify configurations as follows : agent_config name=”agent1|agent2″ localfile location/var/log/my.log/location log_formatsyslog/log_format /localfile /agent_config the hostnamehost1|host2/hostname should work on the event coming from either of both hosts. Kind Regards, Wim On 04 Mar 2010, at 18:06, Jefferson, Shawn wrote: Hi, I have tried this, but unfortunately it doesn’t seem to work for the “snort02” hostname (ie. I still get alerts from that machine, but not from the snort01. Thanks, Shawn From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of oscar schneider Sent: Wednesday, March 03, 2010 4:35 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] Local Rules Syntax Hey, not sure at the moment but I think it should be hostnamesnort01|snort02/hostname instead. Kind regards, oscar On Tue, Mar 2, 2010 at 6:55 PM, Jefferson, Shawn shawn.jeffer...@bcferries.com wrote: Hi, I’m putting some local rules into the local_rules.xml file on the manager (from what I’ve read you can put them here to push out to your agents?) Can you use a comma separated list in hostname like so ? group name=local,snort rule id=100100 level=0 noalert=1 if_sid20100/if_sid hostnamesnort01, snort02/hostname descriptionIgnoring snort events/description /rule /group Or should you use a regex? Thanks, Shawn
Re: [ossec-list] Local Rules Syntax
Hey, not sure at the moment but I think it should be hostnamesnort01|snort02/hostname instead. Kind regards, oscar On Tue, Mar 2, 2010 at 6:55 PM, Jefferson, Shawn shawn.jeffer...@bcferries.com wrote: Hi, I’m putting some local rules into the local_rules.xml file on the manager (from what I’ve read you can put them here to push out to your agents?) Can you use a comma separated list in hostname like so ? group name=local,snort rule id=100100 level=0 noalert=1 if_sid20100/if_sid hostnamesnort01, snort02/hostname descriptionIgnoring snort events/description /rule /group Or should you use a regex? Thanks, Shawn