Okay... I tried changing the rule id and restarted ossec. Still not
working. Here is my local_rules.xml file from /var/ossec/rules
My filter is at the bottom of local_rules.xml and the bit I am trying to
filter is at the bottom of this message.
<!-- Example of local rules for ossec.
- Author: Daniel B. Cid
- Date: Sep 15, 2006
-->
<!-- Modify it at your will. -->
<group name="local,syslog,">
<!-- Note that rule id 5711 is defined at the ssh_rules file
- as a ssh failed login. This is just an example
- since ip 1.1.1.1 shouldn't be used anywhere.
- Level 0 means ignore.
-->
<rule id="100001" level="0">
<if_sid>5711</if_sid>
<srcip>1.1.1.1</srcip>
<description>Example of rule that will ignore sshd </description>
<description>failed logins from IP 1.1.1.1.</description>
</rule>
<!-- This example will ignore ssh failed logins for the user name XYZABC.
-->
<!--
<rule id="100020" level="0">
<if_sid>5711</if_sid>
<user>XYZABC</user>
<description>Example of rule that will ignore sshd </description>
<description>failed logins for user XYZABC.</description>
</rule>
-->
<!-- Specify here a list of rules to ignore. -->
<!--
<rule id="100030" level="0">
<if_sid>12345, 23456, xyz, abc</if_sid>
<description>List of rules to be ignored.</description>
</rule>
-->
(root) mail # cat local_rules.xml
<!-- Example of local rules for ossec.
- Author: Daniel B. Cid
- Date: Sep 15, 2006
-->
<!-- Modify it at your will. -->
<group name="local,syslog,">
<!-- Note that rule id 5711 is defined at the ssh_rules file
- as a ssh failed login. This is just an example
- since ip 1.1.1.1 shouldn't be used anywhere.
- Level 0 means ignore.
-->
<rule id="100001" level="0">
<if_sid>5711</if_sid>
<srcip>1.1.1.1</srcip>
<description>Example of rule that will ignore sshd </description>
<description>failed logins from IP 1.1.1.1.</description>
</rule>
<!-- This example will ignore ssh failed logins for the user name XYZABC.
-->
<!--
<rule id="100020" level="0">
<if_sid>5711</if_sid>
<user>XYZABC</user>
<description>Example of rule that will ignore sshd </description>
<description>failed logins for user XYZABC.</description>
</rule>
-->
<!-- Specify here a list of rules to ignore. -->
<!--
<rule id="100030" level="0">
<if_sid>12345, 23456, xyz, abc</if_sid>
<description>List of rules to be ignored.</description>
</rule>
-->
<rule id="100002" level="0">
<if_sid>1002</if_sid>
<match>process_message</match>
<description>Mail delivery messages ignored</description>
</rule>
</group> <!-- SYSLOG,LOCAL -->
<!-- EOF -->
Meir Michanie wrote:
> use rule id=1000x
>
> <rule id="10002" level="0">
> <if_sid>1002</if_sid>
> <match>process_message</match>
> <description>Mail delivery messages ignored</description>
> </rule>
>
OSSEC HIDS Notification.
2006 Oct 09 07:09:27
Received From: unknown->/var/log/syslog
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
Portion of the log(s):
dspam[20881]: [ID 795625 mail.warning] process_message returned error -5.
delivering message.
--END OF NOTIFICATION
