Ah the first part (local_rules.xml) I have but the two key portions I was missing were leaving the rule ids the same as the built in rules and also adding the "overwrite" option.
Thanks! - Trey On Jun 27, 10:24 pm, Michael Starks <[email protected]> wrote: > On 06/27/2011 09:39 PM, treydock wrote: > > > I have successfully tested my local rules by commenting out rules > > 600-606. Is there something in OSSEC that does not allow certain > > rules to be overridden? I don't know if this is something new as of > > 2.6-Beta. Any insight would be appreciated. > > > Thanks > > - Trey > > I am not sure if you are already doing this, but to overwrite rules, you > need to copy the rule to local_rules.xml, keep the same rule ID and add > the overwrite="yes" option, along with the other changes you want. For > example: > > <rule id="606" level="3" overwrite="yes"> > <if_sid>600</if_sid> > <action>route-null.sh</action> > <status>delete</status> > <description>Host Unblocked by route-null.sh Active > response</description> > <options>alert_by_email</options> > <group>active_response,</group> > </rule>
