Dave, ossec_rules.xml will be overwritten by an upgrade while local_rules.xml will not. You will also have a good overview of what customisation you have done by going the local_rules.xml way.
Cheers, W On 07 Mar 2010, at 15:47, Dave S wrote: > I was reading Wim's latest post at > http://groups.google.com/group/ossec-list/browse_thread/thread/7acaead39fff64d8 > > The author wanted to change the behavior of a default rule. Rather > than editing the rule, Wim suggested writing a new rule to change the > system's behavior as follows: > > <rule id="554" level="0"> > <category>ossec</category> > <description>This rule issues no alerts. We don't want that.</ > description> > </rule> > ..... > <rule id="100001" level="3"> > <if_sid>554</if_sid> > <description>Rule now issues a level 3 alert</description> > </rule> > > My question is, why not overwrite the rule? Like as follows: > > <rule id="554" level="3" overwrite="yes"> > <description>Rule now issues a level 3 alert</description> > </rule> > > What is the difference between doing one or the other?
