[ossec-list] To overwrite or not to overwrite?

Dave S Sun, 07 Mar 2010 14:02:34 -0800

I was reading Wim's latest post at
http://groups.google.com/group/ossec-list/browse_thread/thread/7acaead39fff64d8


The author wanted to change the behavior of a default rule.  Rather
than editing the rule, Wim suggested writing a new rule to change the
system's behavior as follows:

   <rule id="554" level="0">
       <category>ossec</category>
       <description>This rule issues no alerts.  We don't want that.</
description>
     </rule>
   .....
   <rule id="100001" level="3">
       <if_sid>554</if_sid>
       <description>Rule now issues a level 3 alert</description>
   </rule>

My question is, why not overwrite the rule?  Like as follows:

   <rule id="554" level="3" overwrite="yes">
       <description>Rule now issues a level 3 alert</description>
   </rule>

What is the difference between doing one or the other?

[ossec-list] To overwrite or not to overwrite?

Reply via email to