Should be able to use something like this by adding it to your
local_rules.xml file:
<rule id="100006" level="0">
<if_sid>1002</if_sid>
<program_name>^named</program_name>
<match> client \d+.\d+.\d+.\d+#\d+: query (cache)
'www.google.com/A/IN' denied</match>
<options>no_email_alert</options>
<description>Rule that will ignore excessive named
entries</description>
</rule>
You will need to get the sid for YOUR event as the one above is only an
example and will not work w/o the correct SID. I am by no means an
expert and have only been working with OSSEC for a few months. Here is
a good place to learn:
http://www.ossec.net/wiki/index.php/FAQ and for you specifically for
this particular rule see here
http://www.ossec.net/wiki/index.php/Know_How:Regex_Readme
Also is attached a txt file so the word wrapping does not mangle up the
rule.
On Thu, 2008-06-12 at 17:26 -0400, Adriel Desautels wrote:
> How do I ignore this particular type event in OSSEC?
>
> Jun 12 17:04:45 zerosum named[26698]: client 128.194.135.85#4495: query
> (cache) 'www.google.com/A/IN' denied
>
> Regards,
> Adriel T. Desautels
> Chief Technology Officer
> Netragard, LLC.
> Office : 617-934-0269
> Mobile : 617-633-3821
> http://www.linkedin.com/pub/1/118/a45
>
> Join the Netragard, LLC. Linked In Group:
> http://www.linkedin.com/e/gis/48683/0B98E1705142
>
> ---------------------------------------------------------------
> Netragard, LLC - http://www.netragard.com - "We make IT Safe"
> Penetration Testing, Vulnerability Assessments, Website Security
>
> Netragard Whitepaper Downloads:
> -------------------------------
> Choosing the right provider : http://tinyurl.com/2ahk3j
> Three Things you must know : http://tinyurl.com/26pjsn
>
----------------------------------------------------
Virus Free -- Scanned By MailSecurity
----------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies of
the original message. Any views expressed in this message are those of the
author, except where the sender specifically states them to be the views of
BBG, Inc.
<rule id="100006" level="0">
<if_sid>1002</if_sid>
<program_name>^named</program_name>
<match> client \d+.\d+.\d+.\d+#\d+: query (cache) 'www.google.com/A/IN'
denied</match>
<options>no_email_alert</options>
<description>Rule that will ignore excessive named entries</description>
</rule>
