> This will be OK for testing, but you're probably better of using rule > IDs in the user range of 100,000-120,000 so that there aren't any > conflicts during an upgrade. When they get accepted into the project, > Daniel will assign a unique group of IDs.
I've gone back and changed the rules I've created to use the 120200 and 120300 range. > OSSEC Rule ID Groupings and Best > Practices:http://ossec.net/wiki/index.php/Know_How:RuleIDGrouping Thanks! I've been having a bit of trouble locating documentation on the website. I've printed and read the manual. I've slowly been going through the wiki but I didn't see either of the links you've posted... :( I do try to RTFM before asking questions, but I haven't gotten down the navigation of the site's wiki. > This should help:http://ossec.net/wiki/index.php/Know_How:Rules_Severity > > In my experience, however, simply use this as a guide. If there is > something that warrants a larger or smaller severity then simply use > good judgment. I suppose that will be to be determined? ;) I've gone through and changed them from the default 5 that I set. Hopefully the new alerts I've set will be more appropriate. > You can make up your own groups, but try to use the pre-defined groups > where it makes sense. More info > here:http://ossec.net/wiki/index.php/Know_How:Rule_Groups I've updated my rules to use the predefined groups where it makes sense. > One final tip: use the local_decoder.xml file until this is accepted > into the project, because if you don't, you might lose all your work > during an upgrade! I didn't know there was even an local_decoder until now... I've moved my decoders over to local_decoder and it tested fine with new SIDs, alert levels and grouping. You're reply was most helpful! :) I'll reply again with the latest rules files and local decoder file. I hope I can contribute more to this project. I already have a couple of ideas on how else to utilize OSSEC. I have several services/devices that I can write decoders/rules for. I'm just trying to figure out the exact purpose of OSSEC and how I should use it in my environment.
