Yup makes sense, and I just got it that you can use your local rules for SIDs :)
THANKS! On Thu, Aug 20, 2009 at 1:53 PM, Daniel Cid<[email protected]> wrote: > > Hi Adam, > > You have two options. If you have users A, B, C and D and you only > want to get the alerts for > users A and B. You can: > > > -Write a rule matching on these two users and ignore the others: > > <rule id="100456" level="0"> > <if_sid>xyz</if_sid> > <match>Ignoring for everything...</match> > </rule> > > <rule id="100457" level="10"> > <if_sid>100456</if_sid> > <user>A|B</user> > <match>Alert for users A and B</match> > </rule> > > > -Or write a rule to ignore for users C and D and alert for all others: > > <rule id="100456" level="10"> > <if_sid>xyz</if_sid> > <match>Alert everything...</match> > </rule> > > <rule id="100457" level="0"> > <if_sid>100456</if_sid> > <user>C|D</user> > <match>Ignore for users C and D</match> > </rule> > > > Makes sense? > > thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Wed, Aug 19, 2009 at 9:47 AM, Adam Gardner<[email protected]> wrote: >> >> Ok, but what if you are trying to alert on user lock outs in AD, but >> only want to see the service accounts being locked out. How would you >> go about ignoring all the other users in the company and only match >> the service accounts? Would you have to put each service account in >> the rule? >> >> On Jul 23, 1:44 pm, Daniel Cid <[email protected]> wrote: >>> Hi Rafael, >>> >>> If you don't want an alert if the log matches a string, just set the >>> severity to 0. For example: >>> >>> <rule id="100456" level="0"> >>> <if_sid>xyz</if_sid> >>> <match>testing this rule</match> >>> </rule> >>> >>> It accomplishes the same thing as the negation. >>> >>> Thanks, >>> >>> -- >>> Daniel B. Cid >>> dcid ( at ) ossec.net >>> >>> On Fri, Jul 10, 2009 at 3:42 PM, Rafael Gomes<[email protected]> wrote: >>> >>> > Hi, >>> >>> > I wanna modify a rule to don't get a alert that match with testing this >>> > rule (for exemple) >>> >>> > I should put this in the rule: >>> >>> > <match>!testing this rule</match> >>> >>> > Correct? >>> >>> > Thanks! >>> > -- >>> > Rafael Brito Gomes >>> > Projeto UFBA >>> > LPIC-1 >>> > CPM Braxis >>> > Tel : +55 71 3283 6102 >>> >http://www.cpmbraxis.com >> >
