Did you restart the ossec server after adding that rule? It works for me.
<rule id="111111" level="0">
<if_sid>18105</if_sid>
<match>cqmghost</match>
<description>Ignore</description>
</rule>
ossec-logtest output:
**Phase 1: Completed pre-decoding.
full event: 'Jul 7 12:23:10 x.x.x.x security[failure] 861 NT
AUTHORITY\SYSTEM The Windows Firewall has detected an application
listeninfor incoming traffic.Name: -Path:
C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exeProcess identifier:
2968User account: SYSTEMUser domain: NT AUTHORITYService: YesRPC
server: NoIP version: IPv4IP protocol: UDPPort number: 3935Allowed:
NoUser notified: No'
hostname: 'x.x.x.x'
program_name: '(null)'
log: 'security[failure] 861 NT AUTHORITY\SYSTEM The Windows
Firewall has detected an application listeninfor incoming
traffic.Name: -Path:
C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exeProcess identifier:
2968User account: SYSTEMUser domain: NT AUTHORITYService: YesRPC
server: NoIP version: IPv4IP protocol: UDPPort number: 3935Allowed:
NoUser notified: No'
**Phase 2: Completed decoding.
decoder: 'windows-ntsyslog'
extra_data: 'security'
status: 'failure'
id: '861'
**Phase 3: Completed filtering (rules).
Rule id: '111111'
Level: '0'
Description: 'Ignore'
On Wed, Jul 7, 2010 at 5:30 AM, Muraleedaran Kanapathy
<[email protected]> wrote:
> Hi
>
> Thanks a lot for the reply.
>
> I have add the below text at bottom of the local_rules.xml and restarted the
> ossec, but still I can see the alerts
>
> <rule id="100033" level="0">
> <if_sid>18105</if_sid>
> <match>cqmghost</match>
> <description>Events to be ignored</description>
> </rule>
>
> The message logged in alerts.log is
>
> ****************************************************************************
> ** Alert 1278494706.28385260: - windows,
> 2010 Jul 07 05:25:06 10.0.228.10->/var/log/messages
> Rule: 18105 (level 4) -> 'Windows audit failure event.'
> Src IP: (none)
> User: (none)
> Jul 7 12:23:10 x.x.x.x security[failure] 861 NT AUTHORITY\SYSTEM The Windows
> Firewall has detected an application listeninfor incoming traffic.Name:
> -Path: C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exeProcess identifier:
> 2968User account: SYSTEMUser domain: NT AUTHORITYService: YesRPC server: NoIP
> version: IPv4IP protocol: UDPPort number: 3935Allowed: NoUser notified: No
> ****************************************************************************
>
>
> Best regards,
>
> Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department
> Voice +966(1) 288-8888 ext 1422 | Fax +966(1) 288-8899 ext 1422
> Integrated Networks | Faisaliah Tower | Level 7A |
> PO Box 53553, Riyadh 11593, KSA | GMT +3 |
> Email [email protected]
>
