Hey! you can ignore them in /var/ossec/rules/local_rules.xml
I did following to ignore "error on subcontainer 'ia_addr' insert
(-1)" string. so i believe you just add whatever you want to ignore
and set level=0 and option no_email_alert
<rule id="100003" level="0">
<if_sid>1002</if_sid>
<options>no_email_alert</options>
<match>error on subcontainer 'ia_addr' insert (-1)</match>
<description>IGNORED RULE</description>
</rule>
On Thu, Apr 21, 2011 at 2:16 PM, upen <[email protected]> wrote:
> Hi , I am wondering how to make ossec avoid checking 'netstat' or
> atleast help me filter these emails. I have made sure netstat isn't an
> issue on the system.
>
> Received From: sparc-server>rootcheck
> Rule: 100040 fired (level 7) -> "Host-based anomaly detection event
> (rootcheck)"
> Portion of the log(s):
>
> Port '855'(tcp) hidden. Kernel-level rootkit or trojaned version of
> netstat.
>
> Thanks
