<rule id="blahblah" level="0"> <if_sid>1002</if_sid> <description>Ignoring all rule id 1002 alerts instead of writing new rules</description> </rule>
Or: <rule id="blahblah + 1" level="0"> <if_sid>1002</if_sid> <match>HandleDictionaryAttacks: Running task HandleDictionaryAttacks completed</match> <description>Ignore this, it's normal</description> </rule> On Tue, May 4, 2010 at 9:04 AM, Ray Parish <[email protected]> wrote: > Received From: bad->/var/log/maillog > > > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > > Portion of the log(s): > > May 4 08:21:02 bad canitd[31904]: HandleDictionaryAttacks: Running task > HandleDictionaryAttacks completed > > > > > > How can I tweak the local rules to set this level of log entry to "0"
