Brian, No. The level="0" is used to ignore the rule and no action taken primary to avoid false positives. The <options>no-email-alert</option> basically over rides your global email settings in your ossec.conf file.
Dennis Carter Pinellas County Govt Business Technology Services 727-464-4527 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Brian Sent: Wednesday, April 14, 2010 11:17 AM To: ossec-list Subject: [ossec-list] Re: Rule for web access_log not working Dennis, Is <options>no_email_alert</option> a new change? The docs mention level="0" as turning off the alert for a specific rule. I have level="0" set for other, non apache rules in local_rules.xml, and they seem to be working as desired with no alerts. -Brian On Apr 14, 8:04 am, "Carter, Dennis A" <[email protected]> wrote: > Brian, > > If you do not want the e-mail alerts then add option tag to your rule. > > <options>no_email_alert</options> > > Dennis Carter > Pinellas County Govt > Business Technology Services > 727-464-4527 > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Brian > Sent: Tuesday, April 13, 2010 5:22 PM > To: ossec-list > Subject: [ossec-list] Rule for web access_log not working > > I have the following "whitelist" rule that is still producing email > alerts, in local_rules.xml > > <group name="web,accesslog,apache,"> > <rule id="200004" level="0"> > <srcip>1.2.3.4</srcip> > <regex>www\.example\.com/v9/windowsupdate/</regex> > <description>X is asking for Windows updates?</description> > </rule> > </group> > > $ grep -1 local_rules ossec.conf > <include>attack_rules.xml</include> > <include>local_rules.xml</include> > </rules> > $ > > I have verified that IP 1.2.3.4 is indeed valid and showing up the the > Apache log, and I've added the relevant Apache log to ossec.conf via > (and restarted ossec): > > <localfile> > <log_format>apache</log_format> > <location>/var/log/httpd/domain.com-access_log</location> > </localfile> > > Instead of <regex> I've also tried simply: > > <match>www.example.com/v9/windowsupdate/</match> > > ... and: > > <url>www.example.com/v9/windowsupdate/</url> > > I've also tried removing the <srcip> line, and I've tried all > combinations of: > > <group name="web,accesslog,"> > <group name="apache,"> > <group name="syslog,"> > <group name="local,web,accesslog,apache,"> > And numerous other combinations. > > The access_log line looks like this: > > 1.2.3.4 - - [13/Apr/2010:16:26:40 -0400] > "GEThttp://www.example.com/v9/windowsupdate/redir/muv4wuredir.cab?1004132022 > HTTP/1.1" 404 307 "-" "Windows-Update-Agent" > > I've read these: > > http://www.ossec.net/wiki/UserRuleshttp://www.ossec.net/main/manual/configuration-options/ > > For the life of me I can't figure out what I'm doing wrong. Thank you > for any help! > > -Brian > > -- > To unsubscribe, reply using "remove me" as the subject.
