You only have to restart the server, not the clients.
The group tag is used for reporting and you can put whatever you want
in there.
Here's how I ignored Snort startup messages in my local_rules.xml:
<rule id="101007" level="2">
<if_sid>1002</if_sid>
<program_name>^snort</program_name>
<match>Check for Bounce Attacks: YES alert: YES</match>
</rule>
I chose to err on the side of caution and created a rule for each
individual Snort message that I wanted to ignore.
Doug
On Mar 10, 12:09 pm, "Jefferson, Shawn"
<[email protected]> wrote:
> Hi,
>
> I'm still fighting with the local rules, trying to get something that will
> work for suppressing some of the alerts. When you make a change to the local
> rules file on the manager, do you have to restart the ossec agents on the
> manager AND the clients? You do that by "ossec-control restart" right? What
> is the meaning of the group tag in the local rules file? Can I put anything
> I want in there, and is that used for reporting only?
>
> Here are the messages I want to ignore:
>
> ---
> Received From: (snort02) 172.16.4.21->/var/log/auth.log
> Rule: 20100 fired (level 8) -> "First time this IDS alert is generated."
> <snip>
>
> ---
>
> Received From: (snort01) 172.16.4.20->/var/log/syslog
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Mar 10 04:00:02 bcfids01 snort[4701]: Check for Bounce Attacks: YES
> alert: YES
>
> ---
>
> And the rules I've created to do so (I took out the hostname tag that wasn't
> working):
>
> <!-- Snort Events to Ignore -->
> <group name="local,syslog,snort">
> <rule id="100100" level="0" noalert="1">
> <if_sid>20100</if_sid>
> <description>Ignoring first time seen snort events</description>
> </rule>
> </group>
>
> <!-- Syslog Events to Ignore -->
> <group name="local,syslog">
> <rule id="100101" level="0" noalert="1">
> <if_sid>1002</if_sid>
> <match>snort[</match>
> <description>Ignoring syslog events from snort startup</description>
> </rule>
> </group>
>
> Thanks for your help!
> Shawn
