Daniel,
Understood.
Thanks for your great support!
Charles
On Aug 20, 2006, at 22:37 , Daniel Cid wrote:
Hi Charles,
Meir's suggestion to use the monolitic rules is to make your life
easier in the
future (and also to make easy to manage them). However, to answer your
question, the "noalert" attribute does not have the meaning you would
expect by the name. It means that if you match this rule, check for
any
"child" rule. If you don't find any, keep searching for other rules...
You will see that we generally use it for the initial rules in each
group.
<rule id="5700" level="0" noalert="1">
<decoded_as>sshd</decoded_as>
<description>SSHD messages grouped.</description>
</rule>
The way you are using the user_defined.xml is correct. You will not
have
any problem during upgrades. However, to reduce the verbosity of
the alerts,
I would suggest to reduce the severity (level) of these rules (like to
1 or 2) and
set the "log_alert_level" to 4, 5 or something higher.
Hope it helps..
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/20/06, kef_list <[EMAIL PROTECTED]> wrote:
Sorry, I don't understand.
All I want to do is to create user defined rules that override some
of the built-in options, not create a monolitic rules file....
On Aug 20, 2006, at 15:38 , Meir Michanie wrote:
>
>
> I would encourage you to follow the howto:
>
> http://www.ossec.net/wiki/index.php/Monolitic_rules_file
____________________________________________________
Institut Balear de Comunicacions, S.L.
Gremio Tejedores 22, 1
07009 Palma de Mallorca, Spain
Tel: +34 971.45.90.99 | Mobile: +34 607.87.12.77
Fax: +34 971.43.08.18 | E-mail: [EMAIL PROTECTED]
URL: http://www.ibacom.es/
____________________________________________________
____________________________________________________
Institut Balear de Comunicacions, S.L.
Gremio Tejedores 22, 1
07009 Palma de Mallorca, Spain
Tel: +34 971.45.90.99 | Mobile: +34 607.87.12.77
Fax: +34 971.43.08.18 | E-mail: [EMAIL PROTECTED]
URL: http://www.ibacom.es/
____________________________________________________
