I have always added my rules on the ossec server.
Charles Profitt, Sr. Network Technician, Pittsford Central Schools BrainBench Certified - (Master)Microsoft Security | (Master)Storage Area Networks Concepts | (Master)Microsoft Vista Desktop Administration | (Master)Macintosh OS X 10.4 Desktop Administration ---------------------------------------------------------------------- νόησις νοήσεως - nóesis noéseos ________________________________ From: [email protected] [[email protected]] On Behalf Of Simon Slaytor [[email protected]] Sent: Thursday, December 02, 2010 8:20 AM To: [email protected] Subject: [ossec-list] Windows Agent and local_rules.xml Hi Folks, First message to the list, apologies if this has been covered before but my Google fu is obviously weak as I cannot find the answer. I have a central OSSEC server currently v2.4.1 on Ubuntu and a number of remote agents, all 2.4.1 and everything is working well. I now want to suppress some rogue alerts generated by a couple of ‘Windows 2003 Servers/Agents’. After Googling I understand that I need to: Modify the ‘local agent’ copy of the local_rules.xml file adding a new customer rule as follows: <group name="local"> <rule id="100101" level="0"> <if_sid>18153</if_sid> <match>wmiprvse.exe</match> <description>Events ignored</description> </rule> </group> Ok so my first problem, there is no ‘Local_rules.xml’ file on the Windows agent, undeterred I have created one and placed in the root of the ossec-agent folder, is this the correct thing to do? I have then added the following to the ossec.conf configuration file on the agent, just before, i.e. within the ‘default’ </ossec_config> and restarted the agent. <rules> <include>local_rules.xml</include> </rules> The agent runs ok, but I see no entry relating to local_rules.xml in the log file and the alerts are still being generated. Any pointers as to what I’m doing wrong would be greatly appreciated. Simon ________________________________ This email message and any attachments may contain confidential information. If you are not the intended recipient, you are prohibited from using the information in any way, including but not limited to disclosure of, copying, forwarding or acting in reliance on the contents. If you have received this email by error, please immediately notify me by return email and delete it from your email system. Thank you.
