Greetings Peter:
If all you are doing is taking the same rule but wanting to change the
level to avoid notification, then copy the rule to local_rules.xml and
use the
overwrite="yes" option.
Example:
<group name="syslog,vpopmail,">
<rule id="9951" level="10" frequency="20" timeframe="60"
overwrite="yes">
<if_matched_sid>9901</if_matched_sid>
<same_source_ip />
<description>POP3 brute force (multiple failed logins).</
description>
<group>authentication_failures,</group>
</rule>
<rule id="9952" level="10" frequency="20" timeframe="60"
overwrite="yes">
<if_matched_sid>9902</if_matched_sid>
<same_source_ip />
<description>POP3 brute force (email harvesting).</description>
<group>authentication_failures,</group>
</rule>
</group>
Then restart ossec.
Thank you.
