Dear Mailing List
I am receiving multiple false positive events on Ossec Server and I want to ignore some specific rule ID?s from specified sources For that I am using steps as specified (Please do correct me if I am wrong anywhere) 1) Edit the local_rules.xml on ossec server. 2) Adding the rules as specified below *<group name="local">* * * * <rule id="100101" level="0">* * <if_sid>1002</if_sid>* * <srcip>a.b.c.d</srcip>* * <description>proxy Events ignored</description>* * </rule>* * * * <rule id="100102" level="0">* * <if_sid>18107</if_sid>* * <srcip>w.x.y.z</srcip>* * <description>ads Events ignored</description>* * </rule>* * * *</group> * *<!-- EOF -->* * * 3) Restart the ossec services through /var/osses/bin/ossec-control restart But it is not working out. Is there any problem in procedure I am following or is there any other alternative to ignore the rules. ( I have already used <match> tag in lieu of <srcip> tag). Any help would be highly appreciated. Thanks in advance With Regards Gagan Bhatia
