I would probably do something along the lines of: <rule id="SID" level="0"> <decoded_as>snort</decoded_as> <if_sid>1002</if_sid> <match>Check for Bounce Attacks: YES alert: YES</match> <description>Ignore this snort startup message</description> </rule>
You can use /var/ossec/bin/ossec-logtest to test your rules. On Wed, Mar 10, 2010 at 1:54 PM, Jefferson, Shawn <[email protected]> wrote: > Ok, thanks! Do you see any problems with the rule that I do have though? I > would expect that these alerts wouldn't come through at all, but they still > seem to. > > Also, I don't want to ignore rule 1002 in general, just when the false > positive matches appear (like the lines that get written to the log with > Snort starts up that appear to OSSEC as events to report on.) > > Is my match tag appropriate for that? >
