Hi Ashot, The easiest way is by creating a local rule ignoring the event if this specific program is found:
<rule id="100101" level="0"> <if_sid>18105</if_sid> <match>Path: Path of programm<match> <description>Ignoring audit failure</description> </rule> Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Sat, Dec 27, 2008 at 4:49 AM, Ashot Titanyan <[email protected]> wrote: > > Hello ossec-list, > > I am received many e-mail notifications about audit failure, for example: > > OSSEC HIDS Notification. > 2008 Dec 27 12:00:26 > > Received From: (<<Hostname>>) <<IP Address>>->WinEvtLog > Rule: 18105 fired (level 4) -> "Windows audit failure event." > Portion of the log(s): > > WinEvtLog: Security: AUDIT_FAILURE(861): Security: <<Username>>: > <<Hostname>>: <<Hostname>>: > The Windows Firewall has detected an application listening for incoming > traffic. > Name: - Path: <<Path of programm>> > Process identifier: 1740 User account: <<Username>> User domain: > <<Hostname>> > Service: No RPC server: No IP version: IPv4 IP protocol: TCP > Port number: <<Port used by programm>> Allowed: No User notified: No > > > --END OF NOTIFICATION > > Question: How can I disable mail notification exactly for this program > or disable auditing for this program. > > Thanks in advance. > > -- > Best regards, > Ashot mailto:[email protected] > >
