So the proper procedure is to create your local rules in a rules/local_rules.xml" and include them as described.
Except in my case where I need to alter sendmail_rule.xml: <rule id="3103" level="6"> <if_sid>3101</if_sid> <match>reject=550 5.0.0 |reject=553 5.3.0</match> <description>Rejected by access list</description> <description>(55x: Requested action not taken).</description> </rule> And remove "Spam blocked". Or is there another way to do this. _F Meir Michanie wrote:
always put your local_rules.xml second just after rules_config.xml On 9/14/06, *Joel Gray* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: Daniel, Thank you, that was indeed the issue! On another note I learned in correcting this that the rules are processed in the order that they are listed in the ossec.conf file. The result was that originally I added the local_rules.xml as my first one this time around and that caused ossec to fail due to the file looking for another rule that had not been loaded yet. While this is not a huge deal that may be something to think about for the future as well, loading all of the rules before processing them. Thank you again for pointing me in the right direction. -Joel -----Original Message----- From: [email protected] <mailto:[email protected]> [mailto:[email protected] <mailto:[email protected]>] On Behalf Of Daniel Cid Sent: Wednesday, September 13, 2006 1:25 PM To: [email protected] <mailto:[email protected]> Subject: [ossec-list] Re: Help shutting down an alert Do you have the local_rules.xml configured to be included at /var/ossec/etc/ossec.conf ? The update probably removed it from there (yes, this is something we need to fix)... Let us know if it fixes or not.. -- Daniel B. Cid dcid ( at ) ossec.net <http://ossec.net> On 9/13/06, Joel Gray <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: > > Hi all, > > I'm getting an alert on an internal server that, at one point, I had > been able to ignore. Recently I moved the logs that apache (wn32 > version) uses to a different drive for space considerations and since > doing so have begun getting the alert again. The reason I wish to > ignore the alert is due to it's cause. The client software > (TortoiseSVN) simply requests methods not available currently. > > Here is the alert: > Received From: ([myserver]) x.x.x.20->\apache2/logs/access.log > > Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes > from same source ip." > > Portion of the log(s): > > x.x.x.90 - - [13/Sep/2006:07:01:53 -0700] "PROPFIND > /svn/[xxxx]/Extranet/branches/SOW-101 HTTP/1.1" 401 587 x.x.x.90 - - > [13/Sep/2006:07:01:51 -0700] "PROPFIND /svn/[xxxx]/[xxxx]/trunk > HTTP/1.1" 401 587 x.x.x.90 - - [13/Sep/2006:07:00:53 -0700] "PROPFIND > /svn/[xxxx]/[xxxx]/2.5 HTTP/1.1" 401 587 x.x.x.90 - - > [13/Sep/2006:07:00:53 -0700] "PROPFIND > /svn/[xxxx]/Extranet/branches/SOW-101 HTTP/1.1" 401 587 x.x.x.90 - - > [13/Sep/2006:07:00:21 -0700] "PROPFIND /svn/[xxxx]/[xxxx]/trunk > HTTP/1.1" 401 587 x.x.x.90 - - [13/Sep/2006:06:59:53 -0700] "PROPFIND > /svn/[xxxx]/[xxxx]/2.5 HTTP/1.1" 401 587 x.x.x.90 - - > [13/Sep/2006:06:59:50 -0700] "PROPFIND /svn/[xxxx]/[xxxx]/trunk > HTTP/1.1" 401 587 x.x.x.90 - - [13/Sep/2006:06:58:52 -0700] "PROPFIND > /svn/[xxxx]/[xxxx]/trunk HTTP/1.1" 401 587 x.x.x.90 - - > [13/Sep/2006:06:58:52 -0700] "PROPFIND > /svn/[xxxx]/Extranet/branches/SOW-101 HTTP/1.1" 401 587 > > > At one point I put the following into my local_rules.xml file on the > server which got rid of the message: > > <rule id="100001" level="0"> > <if_sid>31101</if_sid> > <srcip>x.x.x.0/16</srcip> > <description>Ignoring local network</description> > </rule> > > I see that this new alert uses a different rule number so I've tried > to do the same thing by putting the following into the local_rules.xml > file: > > <rule id="100005" level="0"> > <if_sid>31151</if_sid> > <srcip> x.x.x.0/16</srcip> > <description>Ignoring local network</description> > </rule> > > This does not seem to override anything and even after restarting > ossec I still receive the notifications every time someone uses the > source control client. Am I doing something wrong or simply missing a > step somewhere else? > > Oh, as a side note I did modify the agent machine config with the new > path to the logs. It was a simply update since the line was already > there with the old logs. I did restart the windows service (NET STOP > OssecSvc;NET START OssecSvc) after the change. > > Thanks in advance! > -Joel >
