Kayvan A. Sylvan wrote:
Okay, following up on ignoring certain alerts:Part of my local_rules.xml is: <rule id="100070" level="0"> <if_sid>1002</if_sid> <match>smbd\.* Denied connection from (0.0.0.0)</match> <description>Ignoring smbd denied connection from</description> </rule> And yet, I am still getting these: OSSEC HIDS Notification. 2007 Feb 16 09:52:22 Received From: server->/var/log/messages Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." Portion of the log(s):Feb 16 09:52:21 server smbd[14947]: Denied connection from (0.0.0.0)What am I doing wrong? Thanks. ---Kayvan
First guess, the <match> should be <regex> instead. <match> will exactly match what it has in the rule and by this the log doesn't match.
-- Ita erat quando hic adveni. Mark Haney Sr. Systems Administrator ERC Broadband (828) 350-2415
