Dan wrote: > Hi Ossec-List > > I have my own rules in local_rules.xml and it works fine with some of > the events. > But as soon i get an event which matches an existing default rule, my > own rules don't trigger. > > How can i be sure, that my local rules have a higher priority and > they will trigger?
Hello, Daniel. To make sure your rule fires, you'll want the rule level to be higher than the default rule. OSSEC evaluates levels from the highest to lowest severity, with 0 being the highest, then 15, 14 and so-on. Also, keep in mind that if OSSEC doesn't see a match in the local rule it will keep going in the 'if_sid' tree until it finds a match. In some cases, local rules may not match if there is an error in the rule. HTH, -Mike
