Why not just use the <match> settings to match against the "flak" by setting the alert level to 0 in local_rules.xml, matching on if_sid for the rule generating the "flak"?
Any snippets of the OSSEC alerts you consider "flak"? Phillip Wheat wrote: > After fighting trying to suppress Windows "flak" without voiding the > entire rule, I'm giving up. > Are there any resources available FOR HIRE that can help me fine-tune > the OSSEC ruleset in > a Windows environment? > > --------------------------------------------------------------------------- > Phillip R. Wheat > Sr. Vice President > Peoples Bank & Trust Company > 334-418-8329 Work > 877-469-1666 Cell Toll Free > 334-872-7516 Home > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> bank > email > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> alternate email > > "Presence and proximity is no longer an excuse ... let's make some > money!" ... Me >
