Hi all, I'm fairly new to OSSEC but I think I understand how to create rules to ignore certain rules. I have read http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules
Here are 2 rules I'm having a problem with. Received From: (jack-3.xxx.xxx) xxx.xxx.150.168->/var/log/maillog Rule: 11 fired (level 8) -> "Excessive number of events (above normal)." Portion of the log(s): The average number of logs between 19:00 and 20:00 is 15678. We reached 20383. So, I add the below into /var/ossec/rules/local_rules.xml on the server, and restart OSSEC on the server: <rule id="100028" level="0"> <if_sid>11</if_sid> <hostname>jack-3</hostname> <description>Ignoring</description> </rule> When OSSEC starts, I get this error: Starting OSSEC HIDS v2.0 (by Third Brigade, Inc.)... 2009/03/24 15:11:24 rules_list: Signature ID '11' not found. Invalid 'if_sid'. ossec-analysisd: Configuration error. Exiting I have many rules very similar to this - is something wrong with my syntax? The 2nd rule I'm having a problem matching is this: Received From: (sloth.xxx.xxx) xxx.xxx.143.180->/var/log/auth.log Rule: 5551 fired (level 10) -> "Multiple failed logins in a small period of time." Portion of the log(s): Mar 25 06:27:15 sloth sshd[5896]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gw.digitalsheep.co.jp user=root <rule id="100017" level="0"> <if_sid>5551,5720,5712,5703</if_sid> <hostname>sloth</hostname> <description>Ignoring ssh brute force attacks</description> </rule> I don't get an error with this one, but I still receive alerts. The dozens of other rules I have work as expected, so I'm at a complete loss here. "sloth" is also not the only agent I have problems with. sloth is on Ubuntu, and I have some other clients with similar issues on CentOS. Any help is appreciated! :)
