If you want to ignore these events, set them to level 0.
On Tue, Jul 6, 2010 at 9:43 AM, Muraleedaran Kanapathy <[email protected]> wrote: > > Hi All > > > > I am trying to ignore some specific message to be seen in the OSSEC web real > time monitoring, and I have configured the local_rules.xml as follows but > still I can see the messages. > > > > Requirement: - To hide any messages with cqmghost.exe with level mentioned as > below to not to be logged in real time monitoring > > The message logged is > > > > Jul 6 15:42:00 x.x.x.x security[failure] 861 NT AUTHORITY\SYSTEM The Windows > Firewall has detected an application listening for incoming traffic. Name: - > Path: C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe Process identifier: > 2968 User account: SYSTEM User domain: NT AUTHORITY Service: Yes RPC server: > No IP version: IPv4 IP protocol: UDP Port number: 3690 Allowed: No User > notified: No Jul 6 15:42:00 10.0.228.10 security[failure] 861 NT > AUTHORITY\SYSTEM The Windows Firewall > > > > > > > > <rule id="100033" level="4"> > > <if_sid>18105</if_sid> > > <match>cqmghost.exe</match> > > <description>Events to be ignored</description> > > </rule> > > > > <rule id="100034" level="10" frequency="$MS_FREQ" timeframe="240"> > > <if_sid>18153</if_sid> > > <match>cqmghost.exe</match> > > <description>Events to be ignored</description> > > </rule> > > > > > > Also I want to hide the e-mail alert for these events and my config look like > this > > > > <rule id="100031" level="4" > > > <if_sid>18105</if_sid> > > <regex>cqmghost.exe</regex> > > <options>no_email_alert</options> > > <description>Windows audit failure event.</description> > > </rule> > > > > <rule id="100032" level="10" frequency="$MS_FREQ" timeframe="240"> > > <if_sid>18153</if_sid> > > <regex>cqmghost.exe</regex> > > <options>no_email_alert</options> > > <description>Multiple Windows audit failure events.</description> > > </rule> > > > > Would appreciate if somebody could help me to write the correct rule > > > > > > Best regards, > > > > Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department > > Voice +966(1) 2888136 | Fax +966(1) 288-8899 ext 1422 > Integrated Networks | Faisaliah Tower | Level 7A | > > PO Box 53553, Riyadh 11593, KSA | GMT +3 | > > Email [email protected] > > Disclaimer: This electronic mail message contains information that (a) is or > may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE > PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the > Addressee(s) named herein. If you are not the intended recipient, an > addressee, or the person responsible for delivering this to an addressee, you > are hereby notified that reading, using, copying, or distributing any part of > this message is strictly prohibited. If you have received this electronic > mail message in error, please contact us immediately and take the steps > necessary to delete the message completely from your computer system. Unless > explicitly attributed, the opinions expressed in this message do not > necessarily represent the official position or opinions of Integrated > Networks LLC., whilst all care has been taken, Integrated Networks LLC. > disclaims all liability for loss or damage to person or property arising from > this message being infected by computer virus or any type of contamination. > >
