On 06/27/2011 09:39 PM, treydock wrote:
I have successfully tested my local rules by commenting out rules
600-606. Is there something in OSSEC that does not allow certain
rules to be overridden? I don't know if this is something new as of
2.6-Beta. Any insight would be appreciated.
Thanks
- Trey
I am not sure if you are already doing this, but to overwrite rules, you
need to copy the rule to local_rules.xml, keep the same rule ID and add
the overwrite="yes" option, along with the other changes you want. For
example:
<rule id="606" level="3" overwrite="yes">
<if_sid>600</if_sid>
<action>route-null.sh</action>
<status>delete</status>
<description>Host Unblocked by route-null.sh Active
response</description>
<options>alert_by_email</options>
<group>active_response,</group>
</rule>
