Write a rule.
<rule id="SET_AN_ID" level="O">
<if_sid>1002</if_sid>
<match>scan errors: 0, viruses detected: 0, infected files
detected: 0</match>
<description>All is well.</description>
</rule>
This one has fatal flaws, but if fixed it works.
On Wed, Oct 19, 2011 at 2:34 PM, Dimitri Yioulos <[email protected]> wrote:
> All,
>
> It's a bit embarrassing that I can't figure out how to stop this
> particular alert, but I don't know how. Here's the situation:
>
> I have Sophos anti-virus installed on some of my Linux boxes. I
> keep getting Ossec alerts like the following:
>
> 2011 Oct 19 11:21:59 Rule Id: 1002 level: 2
> Location: (plymouth) 192.168.1.2->/var/log/messages
> Unknown problem somewhere in the system.
> Oct 19 11:21:59 plymouth savd: savscan.log: On-demand scan
> details: master boot records scanned: 0, boot records scanned: 0,
> files scanned: 3, scan errors: 0, viruses detected: 0, infected
> files detected: 0
>
> Obviously, I don't want this event to alert. What do I have to do
> in Ossec to prevent this specific alert?
>
> Many thanks.
>
> Dimitri
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
