Hi Kayvan,
The following link has some information about it:
http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
For your situation, the following local rule would work:
<rule id="xyz" level="0">
<if_sid>1002</if_sid>
<match>getpeername failed</match>
<description>Ignoring getpeername failed</description>
</rule>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/14/07, Kayvan A. Sylvan <[EMAIL PROTECTED]> wrote:
I thought I had an answer for this before, but I can't find it.
I have an alert that fires off all the time:
OSSEC HIDS Notification.
2007 Feb 14 16:15:03
Received From: server->/var/log/messages
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Feb 14 16:15:02 server smbd[28410]: getpeername failed. Error was
Transport endpoint is not connected
I want to set up a local_rules.xml to ignore this (and other) events.
How do I go about doing this?
---Kayvan
--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
