|
I read the example at: http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules But I still don't understand how to do this properly. I'll be specific this time, so it's clear what I am trying to do. I want to ignore the basic RBL reject messages, UNLESS they are triggered X amount of times. The basic local_rules.xml rules I have that apply here are: <!-- Match custom string from /etc/mail/access -->I don't need an OSSEC notice for every single RBL reject I get - and that's what's happening now. Would I need to craft an ignore and active response rule like this: <rule id="123456" level="0"> <if_sid>3103, 100101</if_sid> <description>events ignored</description> </rule> and then have: <rule id="123457" level="9" frequency="3"> <if_sid>3103, 100101</if_sid> <description>Block if the RBL is triggered 3 times</description> </rule> with an appropriate <active-response> rule in ossec.conf Does this make any sense? Thanks ;-) |
