The top rules establish the initial grouping of the events. The remaining rules are based on these... If you look at the rules following, you'll see that many of them start with something similar to;
<rule id="31103" level="6">
<if_sid>31100</if_sid>
That (if_sid) is the first rule id number, so .. .if that one matched and this one, then .....
I think ...
Daniel ?
Gentux ?
On Wed, 2006-08-23 at 10:12 -0700, [EMAIL PROTECTED] wrote:
> If you change them to 0 you may break some other rules that depend
> on them (since 0 means ignore it). My suggestion is to change them to
> 1 or 2. However, the best way is to go to /var/ossec/etc/ossec.conf and
> modify the value of "log_alert_level" to something higher (like 4 or 5).
> By default it is set to 1, which means log everything..
I'm confused.
in the web-rules.xml file
the first rule is
<rule id="31100" level="0">
<decoded_as>web-accesslog</decoded_as>
<category>web-log</category>
<description>Access log messages grouped.</description>
</rule>
I from this inferred that level 0 is ignored for allerts but is
still matched against the incoming log.
Bob Thorson
UNLV/NSCEE
|
