Hi,
I'm still fighting with the local rules, trying to get something that will work
for suppressing some of the alerts. When you make a change to the local rules
file on the manager, do you have to restart the ossec agents on the manager AND
the clients? You do that by "ossec-control restart" right? What is the
meaning of the group tag in the local rules file? Can I put anything I want in
there, and is that used for reporting only?
Here are the messages I want to ignore:
---
Received From: (snort02) 172.16.4.21->/var/log/auth.log
Rule: 20100 fired (level 8) -> "First time this IDS alert is generated."
<snip>
---
Received From: (snort01) 172.16.4.20->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Mar 10 04:00:02 bcfids01 snort[4701]: Check for Bounce Attacks: YES
alert: YES
---
And the rules I've created to do so (I took out the hostname tag that wasn't
working):
<!-- Snort Events to Ignore -->
<group name="local,syslog,snort">
<rule id="100100" level="0" noalert="1">
<if_sid>20100</if_sid>
<description>Ignoring first time seen snort events</description>
</rule>
</group>
<!-- Syslog Events to Ignore -->
<group name="local,syslog">
<rule id="100101" level="0" noalert="1">
<if_sid>1002</if_sid>
<match>snort[</match>
<description>Ignoring syslog events from snort startup</description>
</rule>
</group>
Thanks for your help!
Shawn
