It exists.
For your example you could add a rule in local_rules.xml (don't forget
to add local_rules.xml in your ossec.conf)
<rule id="109996" level="0">
<if_sid>1002</if_sid>
<program_name>proftpd</program_name>
<match>error setting IPV6_V6ONLY: Protocol not available</match>
<description>Events ignored</description>
</rule>
Jay Curtis a écrit :
Another suggestion would be to have the ability to turn off a rule when it
relates to a specific application bug. ProFTP has an ipV6 bug that ossec
notices every time and it gets annoying. FWIW, so does spamassassin.
JSC
OSSEC HIDS Notification.
2007 Jan 20 15:02:00
Received From: kyzyl->/var/log/secure
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Jan 20 15:02:00 kyzyl proftpd[14496]: xxx.yyy.com
(::ffff:192.168.xxx.yyy[::ffff:192.168.xxx.yyy]) - error setting IPV6_V6ONLY:
Protocol not available
--END OF NOTIFICATION
