On 07/25/2012 17:51, dan (ddp) wrote:
On Wed, Jul 25, 2012 at 10:47 AM, Leonardo Bacha Abrantes
<[email protected]> wrote:
Hey people,
good morning!
how can I configure ossec to don't send emails by an specific rule for just
one client ?
Rule: 35052 fired (level 9) -> "Multiple unauthorized attempts to use
proxy."
I don't want to receive emails about it. I'll check it directlly in ossec
web ui.
thanks!
Write a rule to ignore it (or put it at a lower level). Something like
this might work (hard to tell since I don't have a sample):
<rule id="something or other" level="3">
<if_sid>35052</if_sid>
<srcip>client ip</srcip>
<description>Ignore stuff for client ip</description>
</rule>
By default active response acts on level 6+, but emails are only sent
for level 7 and up. So if I demote a rule from level, say, 10 to level 6
the response will still fire but I won't get an email about it, right?
My question is, how do I do that for a default rule so that it won't be
overwritten when I update OSSEC?
Example: postfix_rules.xml has this:
<rule id="3353" level="10" frequency="$POSTFIX_FREQ" timeframe="120">
<if_matched_sid>3303</if_matched_sid>
<same_source_ip />
<description>Multiple attempts to send e-mail from </description>
<description>invalid/unknown sender domain.</description>
<group>multiple_spam,</group>
</rule>
Sometimes I get too many of these and I don't care to see them, so
demoting this rule to level="6" should do the trick, but I don't want to
modify rules_postfix.xml
