Hi All
I am trying to ignore some specific message to be seen in the OSSEC web
real time monitoring, and I have configured the local_rules.xml as
follows but still I can see the messages.
Requirement: - To hide any messages with cqmghost.exe with level
mentioned as below to not to be logged in real time monitoring
The message logged is
Jul 6 15:42:00 x.x.x.x security[failure] 861 NT AUTHORITY\SYSTEM The
Windows Firewall has detected an application listeningfor incoming
traffic. Name: - Path:
C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe Process identifier:
2968 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC
server: No IP version: IPv4 IP protocol: UDP Port number: 3690
Allowed: No User notified: No Jul 6 15:42:00 10.0.228.10
security[failure] 861 NT AUTHORITY\SYSTEM The Windows Firewall
<rule id="100033" level="4">
<if_sid>18105</if_sid>
<match>cqmghost.exe</match>
<description>Events to be ignored</description>
</rule>
<rule id="100034" level="10" frequency="$MS_FREQ" timeframe="240">
<if_sid>18153</if_sid>
<match>cqmghost.exe</match>
<description>Events to be ignored</description>
</rule>
Also I want to hide the e-mail alert for these events and my config look
like this
<rule id="100031" level="4" >
<if_sid>18105</if_sid>
<regex>cqmghost.exe</regex>
<options>no_email_alert</options>
<description>Windows audit failure event.</description>
</rule>
<rule id="100032" level="10" frequency="$MS_FREQ" timeframe="240">
<if_sid>18153</if_sid>
<regex>cqmghost.exe</regex>
<options>no_email_alert</options>
<description>Multiple Windows audit failure events.</description>
</rule>
Would appreciate if somebody could help me to write the correct rule
Best regards,
Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department
Voice +966(1) 2888136 | Fax +966(1) 288-8899 ext 1422
Integrated Networks | Faisaliah Tower | Level 7A |
PO Box 53553, Riyadh 11593, KSA | GMT +3 |
Email [email protected]
<mailto:[email protected]>
Disclaimer: This electronic mail message contains information that (a)
is or may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR
OTHERWISE PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for
the use of the Addressee(s) named herein. If you are not the intended
recipient, an addressee, or the person responsible for delivering this
to an addressee, you are hereby notified that reading, using, copying,
or distributing any part of this message is strictly prohibited. If you
have received this electronic mail message in error, please contact us
immediately and take the steps necessary to delete the message
completely from your computer system. Unless explicitly attributed, the
opinions expressed in this message do not necessarily represent the
official position or opinions of Integrated Networks LLC., whilst all
care has been taken, Integrated Networks LLC. disclaims all liability
for loss or damage to person or property arising from this message being
infected by computer virus or any type of contamination.
<<image001.jpg>>
