RE: [ossec-list] How to ignore specific rules

[Castle, Shane]

Sigh. http://www.ossec.net/wiki/Know_How:Ignore_Rules

-- 
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH


-----Original Message-----
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
Behalf Of satish patel
Sent: Tuesday, March 15, 2011 10:53
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] How to ignore specific rules

hey boys,

I did following and restart ossec but still getting alert :(  do i
need to specify 1002 rules ID somewhere here?

 <rule id="100002" level="0">
        <options>no_email_alert</options>
        <match>snmpd</match>
        <description>IGNORED RULE</description>
 </rule>




On Tue, Mar 15, 2011 at 12:27 PM, dan (ddp) <ddp...@gmail.com> wrote:
> If you don't want it to email or log, you should just lower the level to 0.
> Adding the no email option doesn't really ignore the log message, it
> just doesn't send out an email. Lowering the level to 0 ignores it.
>
> Since you're aware of the issue, the alert looks pretty worthless.
>
> On Tue, Mar 15, 2011 at 11:33 AM, satish patel <satish...@gmail.com> wrote:
>> One question i used "no_log" that means it will stop alert and log both ?
>>
>>
>> On Tue, Mar 15, 2011 at 11:23 AM, satish patel <satish...@gmail.com> wrote:
>>> Perfect!!! Thanks a lot..
>>>
>>>
>>>
>>> On Tue, Mar 15, 2011 at 10:46 AM, Gurtaj Singh
>>> <gurtaj.si...@esentire.com> wrote:
>>>> add the following rule to your local_rules.xml
>>>>
>>>> <rule id="700678" level="7">
>>>> <options>no_email_alert</options>
>>>> <match>error on subcontainer 'ia_addr' insert (-1)</match>
>>>> <description>IGNORED RULE</description>
>>>> </rule>
>>>>
>>>> The above rule takes that alert as a level 7(which by default wont be
>>>> ignored but note the options command-due to which it wont be alerted on)
>>>> If ever you want to see if you properly fixed the issue,remove the options
>>>> command and keep the rest. That way it wont be ignored.
>>>>
>>>> Another alternative is call it a level 1 or 2 and completely ignore it(no
>>>> logs) or use the no_log command under options.
>>>>
>>>>
>>>> On Tue, 2011-03-15 at 10:29 -0400, satish patel wrote:
>>>>
>>>> I am getting following alert constantly how to ignore it until i fix the
>>>> issue ?
>>>>
>>>>
>>>> OSSEC HIDS Notification.
>>>> 2011 Mar 15 07:18:52
>>>>
>>>> Received From: (sebfwint1) 172.24.0.63->/var/log/syslog
>>>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
>>>> Portion of the log(s):
>>>>
>>>> Mar 15 07:15:31 sebfwint1 snmpd[1401]: error on subcontainer 'ia_addr'
>>>> insert (-1)
>>>>
>>>>
>>>>
>>>
>>
>