Hi guys,
I have a question about user defined rules....
I have created a "user_defined.xml" file in the rules directory and
included it into my ossec.conf file (I have added it just above the
"attack_rules.xml" include line)
I have a FTP user that logins automatically every 2 minutes, and I
want to remove it from the alert.log.
If I use the rule
<group name="proftpd,syslog,">
<rule id="100022" level="0">
<if_sid>11205</if_sid>
<match>USER theusername: Login successful.</match>
<description>Ignore these errors.</description>
</rule>
</group> <!-- SYSLOG,PROFTPD -->
it works correctly (in other words logins by that user are ignored
because of level="0"),
but I would much rather use:
<rule id="100022" level="3" noalert="1">
......
But this does NOT work, the "noalert" option is ignored and the
logins are logged.
I also want to do a similar thing to avoid logging of apache's "file
not found" errors, and have the same problem: the user defined rule
only works when I lower the "level" setting, and the "noalert"
setting is ignored).
By the way, I know that I could do these things my editing the
standard rules, but I want to avoid doing that to make upgrading to
future versions easier, and keep all my customized rules in one place.
Thanks in advance for your help,
Charles
