Hi Gagan, You followed the steps correctly, so it was supposed to be working :) Can you show us the alerts you are trying to ignore (directly from the entry at /var/ossec/logs/alerts/alerts.log )? It may shed some lights as to what is going on...
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Feb 14, 2008 4:12 AM, Gagan bhatia <[EMAIL PROTECTED]> wrote: > > > Dear Mailing List > > > > I am receiving multiple false positive events on Ossec Server and I want to > ignore some specific rule ID?s from specified sources > > > > For that I am using steps as specified (Please do correct me if I am wrong > anywhere) > > > > 1) Edit the local_rules.xml on ossec server. > > 2) Adding the rules as specified below > > > > <group name="local"> > > > > <rule id="100101" level="0"> > > <if_sid>1002</if_sid> > > <srcip>a.b.c.d</srcip> > > <description>proxy Events ignored</description> > > </rule> > > > > <rule id="100102" level="0"> > > <if_sid>18107</if_sid> > > <srcip>w.x.y.z</srcip> > > <description>ads Events ignored</description> > > </rule> > > > > </group> > > <!-- EOF --> > > > > 3) Restart the ossec services through /var/osses/bin/ossec-control > restart > > > > > > But it is not working out. Is there any problem in procedure I am following > or is there any other alternative to ignore the rules. ( I have already used > <match> tag in lieu of <srcip> tag). > > > > Any help would be highly appreciated. > > > > Thanks in advance > > > > With Regards > > Gagan Bhatia
