Wow you have a lot of questions. For your last question, assigning a level of 0 to a rule will result in it being ignored completely, so any rules under it won't fire.
What you can do is use the <options>no_log</options> directive with a level lower than 7 so the event will not log or send an email alert to you. Frequency-based rules under the rule you created with the no_log directive will work. On Wed, Aug 10, 2011 at 11:35 AM, cgzones <[email protected]> wrote: > Hi list, > i'am running ossec 2.6 (the first snapshot after the release) on debian 6. > I have some questions/requests about ossec. > 1 > In the help text of "/bin/ossec-logtest -h" stands still "-f Run in > foreground". I thought this was edited? > 2 > Could it be possible to give more output during "/bin/ossec-logtest -f" > about the decoders. For rules the output is detailed but for the > decoders you don't see what decoders were executed and what > children/parent decoders were tested. This would be great. > 3 > Is it possible to configure several command-logfiles > (process-monitoring) with different time intervals? > 4 > By the syscheck option for directories "report_changes" it is possible > to display the exactly change in one file. But of security reasons it is > not recommendable to do this because someone unwanted can read the mail > and see some internal config-files. So is it possible to check these > exactly changes, not sending them per email, but save them to disk so > that (only) root can check out these changes? > 5 > Will there be /or is there a rule option <same_dst_ip/> and > <same_dst_port/> for frequency rules? > 6 > Why is the process-id in the filename of the pid-file? Because without > these (mostly) random number it is easier to monitor the pid-file (e.g. > with monit). > 7 > Can this issue > ( > https://bitbucket.org/dcid/ossec-hids/issue/26/ossec-init-script-misses-insserv-tags-for > ) > be handled, so that there are no warning during the debian-command > insserv (here is they debian-page with a default init-script-header: > http://wiki.debian.org/LSBInitScripts) > 8 > I want observe a directory with syscheck totaly, so with <directories > check_all="yes">/dir</directories> (maybe with report_changes and > realtime). > But in one specific child-directory i don't want to observe the > file-contents, only owner, group and permission. What of the following > methods do work? > i > <directories check_all="yes">/dir</directories> > <ignore>/dir/child/</ignore> > <directories check_owner="yes" check_group="yes" > check_perm="yes">/dir/child/</directory> > ii > <directories check_all="yes">/dir</directories> > <directories check_owner="yes" check_group="yes" > check_perm="yes">/dir/child/</directory> > iii > <directories check_all="yes">/dir</directories> > <directories check_sum="no">/dir/child/</directories> > iv > ignore /dir/chlid/ with al rule with <match>/dir/child/</match> > > 9 > I read that level 0 rule are forgotten immediately so they aren't count > for frequency rules. Would following works? > (if maybe two times test1 and onetime test2 trigged, would rule 101080 > fire?) > > <rule id="101000" level="4"> > <decoded_as>someone</decoded_as> > <description>Catch all entry.</description> > </rule> > <rule id="101010" level="0"> > <if_sid>101000</if_sid> > <match>test1</match> > <description>log 1</description> > </rule> > <rule id="101011" level="0"> > <if_sid>101000</if_sid> > <match>test2</match> > <description>log 2</description> > </rule> > <rule id="101080" level="4" frequency="3" timeframe="120"> > <if_matched_sid>101000</if_matched_sid> > <description>Multiple log.</description> > </rule> > > Best regards, > Christian Göttsche >
