This worked. Thanks! On Tue, May 4, 2010 at 10:10 AM, Doug Burks <[email protected]> wrote:
> Hi Ray, > > Try something like this: > > <rule id="101002" level="0"> > <if_sid>1002</if_sid> > <program_name>^canitd</program_name> > <match>HandleDictionaryAttacks: Running task > HandleDictionaryAttacks completed</match> > </rule> > > Please let us know whether or not that helps. > > Thanks, > -- > Doug Burks, GCIA, GSEC, CISSP > http://securityonion.blogspot.com > > On Tue, May 4, 2010 at 9:04 AM, Ray Parish <[email protected]> wrote: > > Received From: bad->/var/log/maillog > > > > > > > > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > > > > Portion of the log(s): > > > > May 4 08:21:02 bad canitd[31904]: HandleDictionaryAttacks: Running task > > HandleDictionaryAttacks completed > > > > > > > > > > > > How can I tweak the local rules to set this level of log entry to "0" >
