Hey, using program name is sufficient if you want to exclude about all snort logs that would match rule 1002. There is no extra <match> option needed. Instead of <programe_name> you can also use <decoded_as>snort</decoded_as> or both (cf. decoders.xml if there is any other program_name affected by the snort decoder, if there isn't, decoded_as is fine. ).
Important is to realize the consequences such a rule can have. A local rule like <rule id="111111" level="0"> <if_sid>1002</if_sid> <decoded_as>snort</decoded_as> <!-- or alternatively <program_name>snort</program_name> --> </rule> will result in no notification for every event that is decoded as snort and matches rule 1002 and is not also matching any other rule with a lower id than 111111. So it might be that you exclude some snort messages you'd actually like to be notified about. On Wed, Mar 10, 2010 at 9:59 PM, Doug Burks <[email protected]> wrote: > The decoder puts "snort" in program_name. Perhaps <match> doesn't > apply to program_name. What happens if you use the program_name line > from my rule and NO match line? > Doug > >
