Personal preference really. I use the "overwrite" method for this rule myself. If something in the real rule 554 changes, keeping track of those changes and making them (or similar changes) in my overwritten version might be a good reason for some people to go with the if_sid method.
On Sun, Mar 7, 2010 at 9:47 AM, Dave S <[email protected]> wrote: > I was reading Wim's latest post at > http://groups.google.com/group/ossec-list/browse_thread/thread/7acaead39fff64d8 > > The author wanted to change the behavior of a default rule. Rather > than editing the rule, Wim suggested writing a new rule to change the > system's behavior as follows: > > <rule id="554" level="0"> > <category>ossec</category> > <description>This rule issues no alerts. We don't want that.</ > description> > </rule> > ..... > <rule id="100001" level="3"> > <if_sid>554</if_sid> > <description>Rule now issues a level 3 alert</description> > </rule> > > My question is, why not overwrite the rule? Like as follows: > > <rule id="554" level="3" overwrite="yes"> > <description>Rule now issues a level 3 alert</description> > </rule> > > What is the difference between doing one or the other? >
