Hi
Thanks for your help.
I was able to make my own rules. But with some of them i have a
problem :-(
I have a application which reports to syslog and i need to match some
of these messages. But there is everytime the rule id 1002 triggering
(syslog with $badwords)!
I did in the local_rules.xml a new group <group
name="syslog,errors,"> and entered my rules.
For example:
<rule id="100010" level="0">
<regex>kernelgrsec:|</regex>
<description>xxx</description>
</rule>
<rule id="100011" level="7">
<if_sid>100010</if_sid>
<match>^failure</match>
<description>xxx</description>
</rule>
The first rule won't generate an alert, but the second one should.
But there always triggers the rule 1002. What error is in my filters?
Thanks for your help.
Regards,
Dan
Am 19.09.2007 um 03:18 schrieb Daniel Cid:
>
> Hi Daniel,
>
> Regarding how to write the rules, the following documents can help:
>
> http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
> http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 9/18/07, Peter M. Abraham <[EMAIL PROTECTED]> wrote:
>>
>> Greetings Daniel:
>>
>> Custom rules can be placed in /var/ossec/rules/local_rules.xml
>>
>> Thank you.
>>
>>
