-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/20/2010 02:10 PM, Derek Morris wrote: > I would have to say the Upgrade process. I have to do a diff on > numerous rules files that i have edited and takes quite a bit of pain > staking work to complete.
Really? I simply created additional files for my modified rules. So where ossec ships with, say, firewall_rules.xml, I created firewall_rules_local.xml. An upgrade won't override that. Additionally, I've ensured (somewhat) that I have not used any of the rule IDs that are currently reserved. I'm aware that the official line is that local rules should use the range 100000-109999, but I chose to merely add 100000 to any ruleset range I'm modifying. So, if I have to make a change to, say, rule 31101 to ignore a monitoring station, I create a rule in the range of 131100-131199 and override that rule. Just use an if_sid to make sure it's an override. Another assumption here is that the numbering in the rules doesn't change.. I don't believe that will be the case without extremely large, blinking, sound-activated disclaimers by the developers. And even then, I'm pretty sure they'll try to avoid that. - -- - --------------------------- Jason 'XenoPhage' Frisvold [email protected] - --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky/VNAACgkQ8CjzPZyTUTSj8ACfVyFtH5RXjO4CTdtQ4zSzN8GS xQAAnRziQh4F9NbQZE1OEd059wHBTPG3 =ByCX -----END PGP SIGNATURE-----
