You can add them to local_rules.xml or another file (other than the OSSEC default file). I use a bunch of /var/ossec/rules/wip/local_$DAEMON_rules.xml files, and add a <rule_dir>rules/wip</rule_dir> to the manager's ossec.conf.
You can email this list or the dev list with the rules. You can also clone the hg repository (https://bitbucket.org/dcid/ossec-hids), make your changes, and create a pull request. If you mail them to the list I'll probably add them to my testing repo and existing pull request. On Thu, Jan 26, 2012 at 11:17 AM, Kat <[email protected]> wrote: > I am working on a bunch of updated rules for PIX/ASA firewall > messaging - my question is since these use an existing decoder and > group of rules, what is the best way to add them. Should I be using > local_rules or how could I contribute them to update the pix_rules > set? > > thanks > k
