Dan,
Adding that made the alerts stop. That's really good, thank you!
Now my question is why did adding the <if_sid> finally work?
Here's a rule that works fine (doesn't send alerts):
<group name="local,syslog,">
<rule id="100009" level="0">
<match>Accepted publickey for X from 1.2.3.4</match>
<description>Ignore ssh connections by X on network</
description>
</rule>
</group>
But this doesn't work unless I use <if_sid>:
<group name="local,accesslog,apache,">
<rule id="200004" level="0">
<srcip>1.2.3.4</srcip>
<regex>www\.example\.com/v9/windowsupdate/</regex>
<description>Windows update probes</description>
</rule>
</group>
By the way, I'm running the latest version, and it was installed
fresh.
-Brian
On Apr 14, 8:34 pm, "dan (ddp)" <[email protected]> wrote:
> If rule 200004 is your custom rule, it looks like it isn't being applied.
> Try adding <if_sid>31151</if_sid> to your rule.
>
> On Wed, Apr 14, 2010 at 3:17 PM, Brian <[email protected]> wrote:
> > In the email alert, however, it is being listed as "level 10", which
> > is leading me to believe my local rule is just being ignored:
>
> > Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes
> > from same source ip."
>
> > -Brian
--
Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en
