Create a new rule, and reference the original rule with the <if_sid>SID_NUMBER</if_sid>" option.
The local_rules.xml has some examples that should help you get started. On Thu, Apr 16, 2009 at 4:11 PM, Vianney Lejeune <[email protected]> wrote: > > Thanks for your reply. But how can I modify a rule provided out of the > box by Ossec through my local rule file ? >
