Okay, following up on ignoring certain alerts:
Part of my local_rules.xml is:
<rule id="100070" level="0">
<if_sid>1002</if_sid>
<match>smbd\.* Denied connection from (0.0.0.0)</match>
<description>Ignoring smbd denied connection from</description>
</rule>
And yet, I am still getting these:
OSSEC HIDS Notification.
2007 Feb 16 09:52:22
Received From: server->/var/log/messages
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Feb 16 09:52:21 server smbd[14947]: Denied connection from (0.0.0.0)
What am I doing wrong?
Thanks.
---Kayvan
--
Kayvan A. Sylvan | Proud husband of | Father to my kids:
Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92)
