You can create an ignore rule for snort events. Something like the
following (untested):
<rule id="xxx" level="0">
<decoded_as>snort</decoded_as>
<description>Ignore snort.</description>
</rule>
On Wed, Jul 21, 2010 at 1:10 PM, Cabeza de Baca, Matthew
<[email protected]> wrote:
> I put ossec on a couple snort boxes that are logging to messages.
>
>
>
> I am wondering if I can tell ossec to ignore snort IDS system events. I
> have another method at looking at snort events and would like to use snort
> for an HIDS on my snort boxes.
>
>
>
> If this is possible, can someone point to me how to accomplish this.
>
>
>
> Thanks,
>
>
>
> Matt
>
>
>
>
>
> ________________________________
> This e-mail message, including any attachments, is for the
> sole use of the intended recipient(s) and may contain
> confidential or privileged information. Any unauthorized
> review, use, disclosure or distribution is prohibited. If
> you are not the intended recipient, please contact the
> sender by reply e-mail and destroy the message.
>
> ________________________________
> Think Green! Please do not print this e-mail unless you need to. Thank you.
>
