At the moment this logic is not implemented in OSSEC , and i found it
out when trying to do the same thing as you are .
I created a rule with that logic , only to see that it is not working .
I'd love to be told that i am wrong , as this will make the config and
rules easier to maintain - but AFAIK , the "!" nullifier option is not
with in the scope of the OSSEC rules loading logic .
Assaf
Swartz, Patrick H wrote:
Hi All,
Question about using the “!” in the local_rules.xml for the <hostname>
tag, like the following…
<!-- Testing excluding specific files from specific servers -->
<rule id="100500" level="0">
<if_sid>550, 551, 552</if_sid>
<match>mdas</match>
<match>sgsdas</match>
<hostname>!sles10-docs</hostname> ---- thinking is that if any
other server triggered with this rule the normal alert would take
place, only on this server would the rule fire and the change be ignored
<description>Ignoring changes</description>
</rule>
We are using Ossec v2.0.
Thank you,
*_Patrick Swartz_**_
_**/UNIX Planning & Engineering (DSUSSE)/*
*First Data
*402-777-7337 desk
402-871-8981 cell
------------------------------------------------------------------------
*The information in this message may be proprietary and/or
confidential, and protected from disclosure. If the reader of this
message is not the intended recipient, or an employee or agent
responsible for delivering this message to the intended recipient, you
are hereby notified that any dissemination, distribution or copying of
this communication is strictly prohibited. If you have received this
communication in error, please notify First Data immediately by
replying to this message and deleting it from your computer. *
--
Assaf Flatto
Linux System Administrator
No.9 | 6 Portal Way | London | W3 6RU |
T: +44 (0)20 88 96 8014 | M: +44 (0)75 3568 1067
I am doing a Charity Bike ride On the 27 of June for the
Capital to Coast Charity. Please help by Donating
http://www.justgiving.com/Lovefilm-capital-to-coast
-----------------------------------------------------------------------------------------------------------------------------------------
LOVEFiLM UK Limited is a company registered in England and Wales.
Registered Number: 06528297.
Registered Office: No.9, 6 Portal Way, London W3 6RU, United Kingdom.
This e-mail is confidential to the ordinary user of the e-mail address to which it was addressed. If you have received it in error,
please delete it from your system and notify the sender immediately.
This email message has been delivered safely and archived online by Mimecast.
For more information please visit http://www.mimecast.co.uk
-----------------------------------------------------------------------------------------------------------------------------------------
