Hi Bob,
Sorry confusing you. You will never see an alert for the rule 31100,
because of its level zero (ignored). However, any "child" rule of it
can be matched.
Basically, any rule with level 0 is evaluated first, followed by the other
high level ones. If any rule has child, it will be checked too..
*what is a child rule? A rule that has "if_sid", "if_level" or "if_group".
These rules are only evaluated if the "parent" rule is matched.
Example:
1 - Rule 31100 is matched (web access).
2 - Rule 31101 (dependent of 31100) is checked.
3a- If rule 31101 matches (which means a HTTP 40X error), it
will generate an alert.
3b- If rule 31101 does not match. Ossec will check for any other "child"
rule of the 31100. If no one matches, it will return (rule ignored).
Example of a child rule of 31100:
<rule id="31101" level="5">
<if_sid>31100</if_sid>
<id>^40</id>
<description>Web server 400 error code.</description>
</rule>
Hope it clarifies..
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/23/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> If you change them to 0 you may break some other rules that depend
> on them (since 0 means ignore it). My suggestion is to change them to
> 1 or 2. However, the best way is to go to /var/ossec/etc/ossec.conf and
> modify the value of "log_alert_level" to something higher (like 4 or 5).
> By default it is set to 1, which means log everything..
I'm confused.
in the web-rules.xml file
the first rule is
<rule id="31100" level="0">
<decoded_as>web-accesslog</decoded_as>
<category>web-log</category>
<description>Access log messages grouped.</description>
</rule>
I from this inferred that level 0 is ignored for allerts but is
still matched against the incoming log.
Bob Thorson
UNLV/NSCEE
