On 10/03/2009 18:48, [email protected] wrote: > Hi everyone > > I'm a new ossec user, and I have a simple question, > > how can I configure my false positive logging errors ? > > thanks > > Glaucius > > Hi, the right solution could change based upon the source of the event. A good solution could be to lower the priority of known false positives:
<rule id="100038" level="2"> <if_sid>3301</if_sid> <description>Attempted SMTP relay</description> </rule> this, for instance, will lower the level of rule 3301 to just "2". The right level is up to you/your policy. I placed this in local_rules.xml You could also consider tuning application related rules, eg: I have <var name="POSTFIX_FREQ">3</var> in my postfix_rules.xml. This will make postfix related rules more reactive. In your scenario you could wish to change it to an higher value. By the way, tuning an HIDS/NIDS requires some time. -- William Maddler
