Hi, I have tried this, but unfortunately it doesn't seem to work for the "snort02" hostname (ie. I still get alerts from that machine, but not from the snort01.
Thanks, Shawn ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of oscar schneider Sent: Wednesday, March 03, 2010 4:35 AM To: [email protected] Subject: Re: [ossec-list] Local Rules Syntax Hey, not sure at the moment but I think it should be <hostname>snort01|snort02</hostname> instead. Kind regards, oscar On Tue, Mar 2, 2010 at 6:55 PM, Jefferson, Shawn <[email protected]<mailto:[email protected]>> wrote: Hi, I'm putting some local rules into the local_rules.xml file on the manager (from what I've read you can put them here to push out to your agents?) Can you use a comma separated list in <hostname> like so ? <group name="local,snort"> <rule id="100100" level="0" noalert="1"> <if_sid>20100</if_sid> <hostname>snort01, snort02</hostname> <description>Ignoring snort events</description> </rule> </group> Or should you use a regex? Thanks, Shawn
